Bug 571274 - SELinux is preventing /usr/libexec/nm-openconnect-service "create" access .
Summary: SELinux is preventing /usr/libexec/nm-openconnect-service "create" access .
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:bd3ebe626cf...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-03-07 23:33 UTC by Arnold Wang
Modified: 2010-03-30 02:10 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.6.32-106.fc12
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-03-30 02:10:47 UTC
Type: ---


Attachments (Terms of Use)

Description Arnold Wang 2010-03-07 23:33:08 UTC
Summary:

SELinux is preventing /usr/libexec/nm-openconnect-service "create" access .

Detailed Description:

SELinux denied access requested by nm-openconnect-. It is not expected that this
access is required by nm-openconnect- and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:system_r:NetworkManager_t:s0
Target Objects                None [ tun_socket ]
Source                        nm-openconnect-
Source Path                   /usr/libexec/nm-openconnect-service
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           NetworkManager-
                              openconnect-0.7.996-4.git20090921.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-92.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.32.9-67.fc12.x86_64 #1
                              SMP Sat Feb 27 09:26:40 UTC 2010 x86_64 x86_64
Alert Count                   360
First Seen                    Sun 07 Mar 2010 03:31:07 PM PST
Last Seen                     Sun 07 Mar 2010 03:31:26 PM PST
Local ID                      fffa430e-ad72-49ac-91cb-4e2ad7da5570
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1268004686.580:27574): avc:  denied  { create } for  pid=2308 comm="nm-openconnect-" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=tun_socket

node=(removed) type=SYSCALL msg=audit(1268004686.580:27574): arch=c000003e syscall=16 success=no exit=-13 a0=3 a1=400454ca a2=7ffff952b1d0 a3=7ffff952af30 items=0 ppid=1490 pid=2308 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-openconnect-" exe="/usr/libexec/nm-openconnect-service" subj=system_u:system_r:NetworkManager_t:s0 key=(null)



Hash String generated from  catchall,nm-openconnect-,NetworkManager_t,NetworkManager_t,tun_socket,create
audit2allow suggests:

#============= NetworkManager_t ==============
allow NetworkManager_t self:tun_socket create;

Comment 1 Daniel Walsh 2010-03-09 14:40:36 UTC
allow NetworkManager_t self:tun_socket create_socket_perms;

Comment 2 Miroslav Grepl 2010-03-09 14:47:45 UTC
Fixed in selinux-policy-3.6.32-100.fc12

Comment 3 Arnold Wang 2010-03-13 15:52:23 UTC
When selinux-policy-3.6.32-100.fc12 will be available? I just checked now and only 3.6.32-99.fc12 available from update. Can I manually download it somewhere?
Thanks.
BTW, audit2allow generate the following, just fyi.
-bash-4.0# audit2allow -alr

require {
	type vpnc_t;
	type NetworkManager_t;
	class tun_socket { relabelfrom relabelto create };
}

#============= NetworkManager_t ==============
allow NetworkManager_t self:tun_socket create;

#============= vpnc_t ==============
allow vpnc_t NetworkManager_t:tun_socket relabelfrom;
allow vpnc_t self:tun_socket relabelto;

Comment 4 Miroslav Grepl 2010-03-15 08:24:28 UTC
I am going to push out a new update today. You can download selinux-policy packages from koji.

http://koji.fedoraproject.org/koji/buildinfo?buildID=161507

Comment 5 Fedora Update System 2010-03-15 22:17:44 UTC
selinux-policy-3.6.32-103.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-103.fc12

Comment 6 Arnold Wang 2010-03-16 16:10:58 UTC
I installed selinux-policy-3.6.32-103.fc12 from koji and it fixed the openvonnect problem. 
Thanks.

Comment 7 Daniel Walsh 2010-03-16 18:34:17 UTC
Please update the karma by adding a comment at the link above.

Comment 8 Fedora Update System 2010-03-16 23:23:56 UTC
selinux-policy-3.6.32-103.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-103.fc12

Comment 9 Denis Auroux 2010-03-19 05:28:51 UTC
This doesn't fix the problem, as pointed out in comment #3 there's also some additional permissions needed -- after upgrading to 3.6.32-103.fc12 there's still at least a relabelfrom permission missing.


Summary:

SELinux is preventing /usr/libexec/nm-openconnect-service "relabelfrom" access .

Detailed Description:

SELinux denied access requested by nm-openconnect-. It is not expected that this
access is required by nm-openconnect- and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:system_r:NetworkManager_t:s0
Target Objects                None [ tun_socket ]
Source                        nm-openconnect-
Source Path                   /usr/libexec/nm-openconnect-service
Port                          <Unknown>
Host                          auroux-X200T.mxk.edu
Source RPM Packages           NetworkManager-
                              openconnect-0.7.996-4.git20090921.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-103.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     auroux-X200T.mxk.edu
Platform                      Linux auroux-X200T.mxk.edu
                              2.6.32.9-70.fc12.i686.PAE #1 SMP Wed Mar 3
                              04:57:21 UTC 2010 i686 i686
Alert Count                   2
First Seen                    Thu 18 Mar 2010 09:29:35 PM PDT
Last Seen                     Thu 18 Mar 2010 10:25:29 PM PDT
Local ID                      5d7c0450-9055-42ed-84d2-0f884aed5e49
Line Numbers                  

Raw Audit Messages            

node=auroux-X200T.mxk.edu type=AVC msg=audit(1268976329.5:41): avc:  denied  { relabelfrom } for  pid=2418 comm="nm-openconnect-" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=tun_socket

node=auroux-X200T.mxk.edu type=SYSCALL msg=audit(1268976329.5:41): arch=40000003 syscall=54 success=no exit=-13 a0=4 a1=400454ca a2=bff928ec a3=bff928ec items=0 ppid=1371 pid=2418 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-openconnect-" exe="/usr/libexec/nm-openconnect-service" subj=system_u:system_r:NetworkManager_t:s0 key=(null)

Comment 10 Daniel Walsh 2010-03-19 13:55:22 UTC
I wonder if /usr/libexec/nm-openconnect-service should be labeled vpnc_exec_t.


In policy we added

allow vpnc_t NetworkManager_t:tun_socket relabelfrom;

Now your system is complaining about

allow NetworkManager_t NetworkManager_t:tun_socket relabelfrom;

If you chcon -t vpnc_exec_t /usr/libexec/nm-openconnect-service, does the AVC go away?

Comment 11 Arnold Wang 2010-03-19 15:47:17 UTC
Just a fyi that "selinux-policy-targeted-3.6.32-103.fc12.noarch" did fix my problem, without changing the label for nm-openconnect-service.
[awang@arnoldw-lt Desktop]$ ls -lZ /usr/libexec/nm-openconnect-service
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/libexec/nm-openconnect-service
[awang@arnoldw-lt Desktop]$ getenforce
Enforcing
[awang@arnoldw-lt Desktop]$ rpm -q selinux-policy-targeted
selinux-policy-targeted-3.6.32-103.fc12.noarch

Comment 12 Denis Auroux 2010-03-19 18:35:11 UTC
The relabel doesn't seem to help in my case: then I get new issues, see below.
(Maybe my case is different from Arnold's in that I'm trying to connect to an openconnect VPN with several authentication groups. Or maybe I'm just plain doing something wrong. Don't mind me if it works for everyone else.)


SELinux is preventing /sbin/modprobe "read" access on /etc/modprobe.d.

node=auroux-X200T.mxk.edu type=AVC msg=audit(1269022168.786:149): avc: denied { read } for pid=7693 comm="modprobe" name="modprobe.d" dev=sda5 ino=555974 scontext=unconfined_u:system_r:vpnc_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir node=auroux-X200T.mxk.edu type=SYSCALL msg=audit(1269022168.786:149): arch=40000003 syscall=5 success=no exit=-13 a0=8059f72 a1=0 a2=1b6 a3=805b429 items=0 ppid=7692 pid=7693 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="modprobe" exe="/sbin/modprobe" subj=unconfined_u:system_r:vpnc_t:s0 key=(null) 


#============= vpnc_t ==============
allow vpnc_t modules_conf_t:dir read;


and:

SELinux is preventing /usr/libexec/nm-openconnect-service "relabelfrom" access

node=auroux-X200T.mxk.edu type=AVC msg=audit(1269022168.790:151): avc: denied { relabelfrom } for pid=7692 comm="nm-openconnect-" scontext=unconfined_u:system_r:vpnc_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=tun_socket node=auroux-X200T.mxk.edu type=SYSCALL msg=audit(1269022168.790:151): arch=40000003 syscall=54 success=no exit=-13 a0=3 a1=400454ca a2=bf9ae19c a3=3 items=0 ppid=2877 pid=7692 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="nm-openconnect-" exe="/usr/libexec/nm-openconnect-service" subj=unconfined_u:system_r:vpnc_t:s0 key=(null) 

#============= vpnc_t ==============
#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.

allow vpnc_t NetworkManager_t:tun_socket relabelfrom;

(+ same for relabelto)


Denis

Comment 13 Fedora Update System 2010-03-20 03:29:54 UTC
selinux-policy-3.6.32-103.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Daniel Walsh 2010-03-22 15:42:55 UTC
Denis, the vpnc executing modprobe is going to be a problem.  Do you know what it is doing?

Comment 15 Denis Auroux 2010-03-22 16:51:55 UTC
I'm pretty sure it's not vpnc but rather nm-openconnect-service that's executing modprobe (since the error only happens after relabelling nm-openconnect-service to type vpnc_exec_t). In fact:

[root@auroux-X200T]/usr/libexec# strings nm-openconnect-service |grep modprobe
/sbin/modprobe tun

I've fixed things on my system by returning nm-openconnect-service to its default labelling and making a local sepolicy module. (Half of which is probably not necessary, but I ran out of patience and needed my VPN access to just work).

Denis


module local 1.0;

require {
        type vpnc_t;
	type NetworkManager_t;
	class tun_socket { relabelfrom relabelto };
}

#============= NetworkManager_t ==============
allow NetworkManager_t self:tun_socket relabelto;
allow NetworkManager_t self:tun_socket relabelfrom;
allow NetworkManager_t vpnc_t:tun_socket relabelto;
allow NetworkManager_t vpnc_t:tun_socket relabelfrom;

Comment 16 Daniel Walsh 2010-03-22 18:26:43 UTC
Ok, 

Miroslav can you add relabelfrom to NetworkManager_t

allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom };

And don't change the labels.

Comment 17 Miroslav Grepl 2010-03-23 12:05:20 UTC
Fixed in selinux-policy-3.6.32-106.fc12

Comment 18 Fedora Update System 2010-03-23 18:02:21 UTC
selinux-policy-3.6.32-106.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-106.fc12

Comment 19 Fedora Update System 2010-03-24 23:29:32 UTC
selinux-policy-3.6.32-106.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-106.fc12

Comment 20 Fedora Update System 2010-03-30 02:09:05 UTC
selinux-policy-3.6.32-106.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.