Bug 586284 - SELinux is preventing /usr/sbin/NetworkManager "unlink" access on hosts.
SELinux is preventing /usr/sbin/NetworkManager "unlink" access on hosts.
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
12
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:e25d52565b3...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-04-27 04:49 EDT by Davide Rossetti
Modified: 2010-12-07 13:02 EST (History)
19 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-04-27 05:54:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
/var/log/audit/audit.log (uploaded to another PC via FTP) (16.02 KB, text/x-log)
2010-10-03 12:57 EDT, v.plessky
no flags Details

  None (edit)
Description Davide Rossetti 2010-04-27 04:49:33 EDT
Summary:

SELinux is preventing /usr/sbin/NetworkManager "unlink" access on hosts.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by NetworkManager. It is not expected that this
access is required by NetworkManager and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                unconfined_u:object_r:etc_t:s0
Target Objects                hosts [ file ]
Source                        NetworkManager
Source Path                   /usr/sbin/NetworkManager
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           NetworkManager-0.8.0-6.git20100408.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-110.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux geppetto.ape 2.6.32.11-99.fc12.x86_64 #1 SMP
                              Mon Apr 5 19:59:38 UTC 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Tue 27 Apr 2010 10:44:25 AM CEST
Last Seen                     Tue 27 Apr 2010 10:44:25 AM CEST
Local ID                      9f8a9b4d-efdb-4179-898c-f9f89b50e67f
Line Numbers                  

Raw Audit Messages            

node=geppetto.ape type=AVC msg=audit(1272357865.901:8): avc:  denied  { unlink } for  pid=1634 comm="NetworkManager" name="hosts" dev=dm-0 ino=628 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file

node=geppetto.ape type=SYSCALL msg=audit(1272357865.901:8): arch=c000003e syscall=82 success=yes exit=0 a0=1fb1300 a1=47dd2b a2=1fae8d0 a3=7fffa2cf94c0 items=0 ppid=1 pid=1634 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)



Hash String generated from  catchall,NetworkManager,NetworkManager_t,etc_t,file,unlink
audit2allow suggests:

#============= NetworkManager_t ==============
allow NetworkManager_t etc_t:file unlink;
Comment 1 Miroslav Grepl 2010-04-27 05:54:33 EDT
Somehow "/etc/hosts" got the wrong label on it. Execute:

restorecon -v /etc/hosts

Should fix. Please reopen if this happens again.
Comment 2 v.plessky 2010-10-02 19:14:58 EDT
This bug should be re-opened.

I just loaded Fedora 14 Beta - and Ethernet conection doesn't work (disaled)
I tried to re-enable it in NetworkManager - and received message similar to above.
Connectin (wired) remains disabled.
Comment 3 v.plessky 2010-10-02 19:21:56 EDT
execution of
#restorecon -v /etc/hosts
doesn't bring Ethernet (wired) connection alive.


[liveuser@localhost ~]$ ifconfig
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:12 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:720 (720.0 b)  TX bytes:720 (720.0 b)

wlan0     Link encap:Ethernet  HWaddr 00:13:D3:84:FE:9D  
          inet addr:192.168.1.51  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::213:d3ff:fe84:fe9d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2455 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1920 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2706074 (2.5 MiB)  TX bytes:239273 (233.6 KiB)

[liveuser@localhost ~]$ lspci
00:00.0 Host bridge: ATI Technologies Inc RS480 Host Bridge (rev 10)
00:01.0 PCI bridge: ATI Technologies Inc RS480 PCI Bridge
00:06.0 PCI bridge: ATI Technologies Inc RS480 PCI Bridge
00:07.0 PCI bridge: ATI Technologies Inc RS480 PCI Bridge
00:12.0 IDE interface: ATI Technologies Inc IXP SB400 Serial ATA Controller (rev 80)
00:13.0 USB Controller: ATI Technologies Inc IXP SB400 USB Host Controller (rev 80)
00:13.1 USB Controller: ATI Technologies Inc IXP SB400 USB Host Controller (rev 80)
00:13.2 USB Controller: ATI Technologies Inc IXP SB400 USB2 Host Controller (rev 80)
00:14.0 SMBus: ATI Technologies Inc IXP SB400 SMBus Controller (rev 83)
00:14.1 IDE interface: ATI Technologies Inc IXP SB400 IDE Controller (rev 80)
00:14.2 Audio device: ATI Technologies Inc IXP SB4x0 High Definition Audio Controller (rev 01)
00:14.3 ISA bridge: ATI Technologies Inc IXP SB400 PCI-ISA Bridge (rev 80)
00:14.4 PCI bridge: ATI Technologies Inc IXP SB400 PCI-PCI Bridge (rev 80)
00:18.0 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] HyperTransport Technology Configuration
00:18.1 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] Address Map
00:18.2 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] DRAM Controller
00:18.3 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] Miscellaneous Control
01:05.0 VGA compatible controller: ATI Technologies Inc RS482 [Radeon Xpress 200M]
04:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168B PCI Express Gigabit Ethernet controller (rev 01)
05:04.0 FireWire (IEEE 1394): O2 Micro, Inc. Firewire (IEEE 1394) (rev 02)
05:04.2 SD Host controller: O2 Micro, Inc. Integrated MMC/SD Controller (rev 01)
05:04.3 Mass storage controller: O2 Micro, Inc. Integrated MS/xD Controller (rev 01)
05:09.0 Network controller: RaLink RT2500 802.11g (rev 01)
[liveuser@localhost ~]$ lspci
00:00.0 Host bridge: ATI Technologies Inc RS480 Host Bridge (rev 10)
00:01.0 PCI bridge: ATI Technologies Inc RS480 PCI Bridge
00:06.0 PCI bridge: ATI Technologies Inc RS480 PCI Bridge
00:07.0 PCI bridge: ATI Technologies Inc RS480 PCI Bridge
00:12.0 IDE interface: ATI Technologies Inc IXP SB400 Serial ATA Controller (rev 80)
00:13.0 USB Controller: ATI Technologies Inc IXP SB400 USB Host Controller (rev 80)
00:13.1 USB Controller: ATI Technologies Inc IXP SB400 USB Host Controller (rev 80)
00:13.2 USB Controller: ATI Technologies Inc IXP SB400 USB2 Host Controller (rev 80)
00:14.0 SMBus: ATI Technologies Inc IXP SB400 SMBus Controller (rev 83)
00:14.1 IDE interface: ATI Technologies Inc IXP SB400 IDE Controller (rev 80)
00:14.2 Audio device: ATI Technologies Inc IXP SB4x0 High Definition Audio Controller (rev 01)
00:14.3 ISA bridge: ATI Technologies Inc IXP SB400 PCI-ISA Bridge (rev 80)
00:14.4 PCI bridge: ATI Technologies Inc IXP SB400 PCI-PCI Bridge (rev 80)
00:18.0 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] HyperTransport Technology Configuration
00:18.1 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] Address Map
00:18.2 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] DRAM Controller
00:18.3 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] Miscellaneous Control
01:05.0 VGA compatible controller: ATI Technologies Inc RS482 [Radeon Xpress 200M]
04:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168B PCI Express Gigabit Ethernet controller (rev 01)
05:04.0 FireWire (IEEE 1394): O2 Micro, Inc. Firewire (IEEE 1394) (rev 02)
05:04.2 SD Host controller: O2 Micro, Inc. Integrated MMC/SD Controller (rev 01)
05:04.3 Mass storage controller: O2 Micro, Inc. Integrated MS/xD Controller (rev 01)
05:09.0 Network controller: RaLink RT2500 802.11g (rev 01)

[liveuser@localhost ~]$ nm-tool

NetworkManager Tool

State: connected

- Device: eth0 -----------------------------------------------------------------
  Type:              Wired
  Driver:            r8169
  State:             unavailable
  Default:           no
  HW Address:        00:16:17:51:9A:1D

  Capabilities:
    Carrier Detect:  yes
    Speed:           100 Mb/s

  Wired Properties
    Carrier:         off


- Device: wlan0  [Auto dd-wrt] -------------------------------------------------
  Type:              802.11 WiFi
  Driver:            rt2500pci
  State:             connected
  Default:           yes
  HW Address:        00:13:D3:84:FE:9D

  Capabilities:
    Speed:           18 Mb/s

  Wireless Properties
    WEP Encryption:  yes
    WPA Encryption:  yes
    WPA2 Encryption: yes

  Wireless Access Points (* = current AP)
    *dd-wrt:         Infra, 00:1B:FC:91:83:4C, Freq 2412 MHz, Rate 54 Mb/s, Strength 100 WPA2
    dlink:           Infra, 00:26:5A:32:B7:39, Freq 2437 MHz, Rate 54 Mb/s, Strength 54 WPA
    pantherx:        Infra, 00:1C:C5:D8:34:8C, Freq 2462 MHz, Rate 54 Mb/s, Strength 44 WEP

  IPv4 Settings:
    Address:         192.168.1.51
    Prefix:          24 (255.255.255.0)
    Gateway:         192.168.1.2

    DNS:             192.168.1.2

-----------------

As you see, there is an Ethernet adapter, but connection is not available
On the other hand - Wi-Fi cnection is working.
Comment 4 Daniel Walsh 2010-10-03 06:37:27 EDT
Are you seeing AVC messages within /var/log/audit/audit.log or /var/log/messages?
Comment 5 v.plessky 2010-10-03 12:38:05 EDT
good question.
gedit crashes when I attempt to open audit.log

[root@localhost liveuser]# cd /var/log/audit
[root@localhost audit]# gedit audit.log

** (gedit:3119): WARNING **: AT-SPI: Accessibility bus not found - Using session bus.


** (gedit:3119): WARNING **: AT-SPI: Couldn't connect to bus: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.


(gedit:3119): EggSMClient-WARNING **: Failed to connect to the session manager: None of the authentication protocols specified are supported

**
GLib-GIO:ERROR:gdbusconnection.c:2170:initable_init: assertion failed: (connection->initialization_error == NULL)
Aborted (core dumped)
Comment 6 v.plessky 2010-10-03 12:57:51 EDT
Created attachment 451292 [details]
/var/log/audit/audit.log  (uploaded to another PC via FTP)


I may to add that today I see wired Ethernet connection in NetworkManager.
Besides, I can disable it and re-enable (Auto eth0)

What I did different comparing to yesterday?
I booted this computer to Windows (XP) in the morning, and later booted to Fedora 14 Beta from Live USB stick.

It seems current version of Fedora 14 (Beta) doesn't initialize correctly wired interface on boot (in some cases).
Comment 7 Daniel Walsh 2010-10-04 12:35:31 EDT
No AVC's in the log file.  So I don't think SELinux is blocking it.
Comment 8 Seva 2010-10-07 17:39:49 EDT
Trying to open a ticket, it took me here as a duplicate, not sure if it's related but...

Summary:

SELinux is preventing /usr/sbin/NetworkManager "unlink" access on
/etc/NetworkManager/NetworkManager.conf.

Detailed Description:

SELinux denied access requested by NetworkManager. It is not expected that this
access is required by NetworkManager and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:etc_t:s0
Target Objects                /etc/NetworkManager/NetworkManager.conf [ file ]
Source                        NetworkManager
Source Path                   /usr/sbin/NetworkManager
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           NetworkManager-0.8.1-6.git20100831.fc14
Target RPM Packages           NetworkManager-0.8.1-6.git20100831.fc14
Policy RPM                    selinux-policy-3.9.5-7.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              2.6.35.4-28.fc14.x86_64 #1 SMP Wed Sep 15 01:56:54
                              UTC 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Thu 07 Oct 2010 03:30:09 PM CDT
Last Seen                     Thu 07 Oct 2010 03:30:09 PM CDT
Local ID                      482350b7-3b53-43e5-b813-fb960015e075
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1286483409.456:62480): avc:  denied  { unlink } for  pid=6264 comm="NetworkManager" name="NetworkManager.conf" dev=dm-0 ino=53046 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1286483409.456:62480): arch=c000003e syscall=82 success=no exit=-13 a0=966810 a1=950f90 a2=961ea0 a3=1 items=0 ppid=1 pid=6264 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
Comment 9 Daniel Walsh 2010-10-08 08:56:39 EDT
I opened a bug on NetworkManager.

https://bugzilla.redhat.com/show_bug.cgi?id=641331

Note You need to log in before you can comment on or make changes to this bug.