Souhrn: SELinux is preventing /usr/libexec/nm-dhcp-client.action "getsched" access . Podrobný popis: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by nm-dhcp-client.. It is not expected that this access is required by nm-dhcp-client. and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Další informace: Kontext zdroje system_u:system_r:dhcpc_t:s0 Kontext cíle system_u:system_r:dhcpc_t:s0 Objekty cíle None [ process ] Zdroj nm-dhcp-client. Cesta zdroje /usr/libexec/nm-dhcp-client.action Port <Neznámé> Počítač (removed) RPM balíčky zdroje NetworkManager-0.8.0-0.4.git20100211.fc13 RPM balíčky cíle RPM politiky selinux-policy-3.7.9-4.fc13 Selinux povolen True Typ politiky targeted Vynucovací režim Permissive Název zásuvného modulu catchall Název počítače (removed) Platforma Linux leela 2.6.33-0.52.rc8.git6.fc13.x86_64 #1 SMP Tue Feb 23 04:52:05 UTC 2010 x86_64 x86_64 Počet upozornění 99 Poprvé viděno Po 22. únor 2010, 14:29:02 CET Naposledy viděno Út 23. únor 2010, 16:06:35 CET Místní ID 805e6459-1d27-4911-aeb1-219f5d27aca1 Čísla řádků Původní zprávy auditu node=leela type=AVC msg=audit(1266937595.993:15): avc: denied { getsched } for pid=1861 comm="nm-dhcp-client." scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=process node=leela type=SYSCALL msg=audit(1266937595.993:15): arch=c000003e syscall=143 success=yes exit=0 a0=745 a1=7f8739d2bd38 a2=7fff3bc96bd0 a3=7fff3bc96aa0 items=0 ppid=1859 pid=1861 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-dhcp-client." exe="/usr/libexec/nm-dhcp-client.action" subj=system_u:system_r:dhcpc_t:s0 key=(null) Hash String generated from catchall,nm-dhcp-client.,dhcpc_t,dhcpc_t,process,getsched audit2allow suggests: #============= dhcpc_t ============== allow dhcpc_t self:process getsched;
Fixed in selinux-policy-3.7.10-2.fc13.noarch
selinux-policy-3.7.10-2.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/F13/FEDORA-2010-2622
selinux-policy-3.6.32-92.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-92.fc12
selinux-policy-3.7.10-3.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/F13/FEDORA-2010-2622
selinux-policy-3.7.10-3.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
Daniel I can repro this one with selinux-policy-3.7.10-3.fc13.noarch. If selinux is in enforcing targeted, this precludes eth0 eth1 and so on from connecting to my LAN. I have to setenforce 0 to get online.
Ray are you sure you are getting the same AVC? ausearch -m avc -ts recent rpm -q selinux-policy selinux-policy-3.7.10-3.fc13.noarch sesearch -A -s dhcpc_t -p getsched Found 1 semantic av rules: allow dhcpc_t dhcpc_t : process { fork sigchld sigkill sigstop signull signal ptrace getsched getcap setcap setfscreate } ;
selinux-policy-3.7.10-4.fc13.noarch time->Thu Feb 25 23:30:10 2010 type=SYSCALL msg=audit(1267137010.324:18011): arch=c000003e syscall=143 success=yes exit=0 a0=831 a1=7f98ee681d38 a2=7ffffbd03fe0 a3=1 items=0 ppid=1 pid=2097 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="plymouthd" exe="/sbin/plymouthd" subj=system_u:system_r:plymouthd_t:s0 key=(null) type=AVC msg=audit(1267137010.324:18011): avc: denied { getsched } for pid=2097 comm="plymouthd" scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:system_r:plymouthd_t:s0 tclass=process ---- time->Thu Feb 25 23:31:26 2010 type=SYSCALL msg=audit(1267137086.910:5): arch=c000003e syscall=143 success=yes exit=0 a0=505 a1=7f1048ca2d38 a2=7fff8d8e5a70 a3=1 items=0 ppid=1283 pid=1285 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modem-manager" exe="/usr/sbin/modem-manager" subj=system_u:system_r:modemmanager_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1267137086.910:5): avc: denied { getsched } for pid=1285 comm="modem-manager" scontext=system_u:system_r:modemmanager_t:s0-s0:c0.c1023 tcontext=system_u:system_r:modemmanager_t:s0-s0:c0.c1023 tclass=process ---- time->Thu Feb 25 23:32:22 2010 type=SYSCALL msg=audit(1267137142.824:14): arch=c000003e syscall=143 success=yes exit=0 a0=727 a1=7fa073c6dd38 a2=7fffe415a2e0 a3=7fffe415a1e0 items=0 ppid=1824 pid=1831 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-dhcp-client." exe="/usr/libexec/nm-dhcp-client.action" subj=system_u:system_r:dhcpc_t:s0 key=(null) type=AVC msg=audit(1267137142.824:14): avc: denied { getsched } for pid=1831 comm="nm-dhcp-client." scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=process
'sesearch -A -s dhcpc_t -p getsched' does not find anything here.
Created attachment 396431 [details] Output of requested commands.
Installed 3.7.10-4 now the leaked to /tmp/randomness reappears but at least my network (LAN-Ethernet) works again. rpm -qa selinux* selinux-policy-3.7.10-4.fc13.noarch selinux-policy-targeted-3.7.10-4.fc13.noarch [root@THOR jag]# ausearch -m avc -ts recent ---- time->Thu Feb 25 15:41:17 2010 type=SYSCALL msg=audit(1267141277.554:39): arch=c000003e syscall=59 success=yes exit=0 a0=178fb50 a1=178a550 a2=1789e30 a3=b8 items=0 ppid=2016 pid=2018 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="semodule" exe="/usr/sbin/semodule" subj=unconfined_u:system_r:semanage_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1267141277.554:39): avc: denied { append } for pid=2018 comm="semodule" path="/tmp/tmpbeObVW" dev=sdb2 ino=9037 scontext=unconfined_u:system_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file ---- time->Thu Feb 25 15:41:20 2010 type=SYSCALL msg=audit(1267141280.389:41): arch=c000003e syscall=59 success=yes exit=0 a0=f54720 a1=f53e70 a2=f571e0 a3=8 items=0 ppid=2027 pid=2050 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1267141280.389:41): avc: denied { read append } for pid=2050 comm="restorecon" path="/tmp/tmpbeObVW" dev=sdb2 ino=9037 scontext=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file
selinux-policy-3.6.32-92.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-2953
Fedora Update System seems to have temporarily lost it's way. This is an F13 bug and it's suggesting an F12 update.
Oops, my fault. I put this bug number to the bug list while I was creating new update for F12.
The rpm_tmp_t append fix will be Fixed in selinux-policy-3.7.10-5.fc13.noarch
selinux-policy-3.6.32-92.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
I still get this denial regularly. type=SYSCALL msg=audit(1267946601.582:19489): arch=c000003e syscall=143 success=yes exit=0 a0=777 a1=7fd0817b1d38 a2=7ffff5ed3c90 a3=7ffff5ed3b90 items=0 ppid=1909 pid=1911 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-dhcp-client." exe="/usr/libexec/nm-dhcp-client.action" subj=system_u:system_r:dhcpc_t:s0 key=(null) type=AVC msg=audit(1267946601.582:19489): avc: denied { getsched } for pid=1911 comm="nm-dhcp-client." scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=process $ rpm -q NetworkManager ModemManager selinux-policy NetworkManager-0.8.0-0.4.git20100211.fc13.x86_64 selinux-policy-3.7.11-1.fc13.noarch
# audit2allow -i /tmp/t #============= dhcpc_t ============== #!!!! This avc is allowed in the current policy allow dhcpc_t self:process getsched; Are you sure something did not go wrong on update. # yum reinstall selinux-policy-targeted Then execute # sesearch -A -s dhcpc_t -p getsched Found 1 semantic av rules: allow dhcpc_t dhcpc_t : process { fork sigchld sigkill sigstop signull signal ptrace getsched getcap setcap setfscreate } ;
Dan, you're right. Something did go wrong during the update: libsepol.print_missing_requirements: icecream's global requirements were not met: type/attribute etcfile (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! After I removed the icecream package and then manually removed all traces of its SELinux parts (port definitions and a policy module), I was able to reinstall selinux-policy-targeted without errors and now sesearch is able to find the getsched rule. Closing this bug again, because the upgrade bug was a fault of the icecream package (which I maintain).