Bug 647030 - SELinux is preventing /usr/bin/python "write" access on /etc/dhcp/manager-settings.conf.
SELinux is preventing /usr/bin/python "write" access on /etc/dhcp/manage...
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
: Reopened
: 647031 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2010-10-26 17:18 EDT by leigh scott
Modified: 2011-05-09 15:35 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-05-09 15:35:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description leigh scott 2010-10-26 17:18:38 EDT

SELinux is preventing /usr/bin/python "write" access on

Detailed Description:

SELinux denied access requested by wicd. It is not expected that this access is
required by wicd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug

Additional Information:

Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:etc_t:s0
Target Objects                /etc/dhcp/manager-settings.conf [ file ]
Source                        wicd
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           python-2.6.4-27.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-68.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              #1 SMP Tue Oct 19 04:42:47 UTC 2010 i686 i686
Alert Count                   1
First Seen                    Tue 26 Oct 2010 22:12:07 BST
Last Seen                     Tue 26 Oct 2010 22:12:07 BST
Local ID                      86375435-d346-4319-a83e-75dff7f6d43e
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1288127527.741:6): avc:  denied  { write } for  pid=1138 comm="wicd" name="manager-settings.conf" dev=sda1 ino=84314 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1288127527.741:6): arch=40000003 syscall=5 success=no exit=-13 a0=9d38850 a1=8241 a2=1b6 a3=9d36cb9 items=0 ppid=1137 pid=1138 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="wicd" exe="/usr/bin/python" subj=system_u:system_r:NetworkManager_t:s0 key=(null)

Hash String generated from  catchall,wicd,NetworkManager_t,etc_t,file,write
audit2allow suggests:

#============= NetworkManager_t ==============
allow NetworkManager_t etc_t:file write;
Comment 1 Miroslav Grepl 2010-10-27 08:43:38 EDT
*** Bug 647031 has been marked as a duplicate of this bug. ***
Comment 2 Miroslav Grepl 2010-10-27 10:00:40 EDT
How did you get it? What were you doing with wicd when this happened?
Comment 3 leigh scott 2010-10-27 17:40:43 EDT
(In reply to comment #2)
> How did you get it? What were you doing with wicd when this happened?

I installed selinux-policy-3.7.19-68.fc13 to fix #596982, since then I get this warning on boot up.
Comment 4 Daniel Walsh 2010-10-27 18:01:15 EDT
Does networkmanager/wicd need write access to this file?
Comment 5 Jirka Klimes 2010-11-16 03:56:23 EST
NetworkManager doesn't use such file at all.

It's probably wicd's config, however according to e.g. http://en.gentoo-wiki.com/wiki/Wicd, the location should be /etc/wicd/manager-settings.conf
Comment 6 Miroslav Grepl 2010-11-16 08:03:21 EST
could you try to execute

# restorecon -R -v /etc/wicd

I think you have mislabeled files in this directory.

If am wrong, please reopen the bug.
Comment 7 leigh scott 2010-12-17 10:13:13 EST
(In reply to comment #6)
> leigh,

> If am wrong, please reopen the bug.

I'm still getting this on a clean install
Comment 8 Alexander Hunt 2010-12-17 19:35:04 EST
Leigh, Some thoughts for you: (btw, I'm just a regular user with lots of time invested in wicd issues, explaining what has worked for me; your mileage may vary :) ) 
There are a couple of anomalies that I have found: 

1.) wicd is configured to be run by users in the 'user' group (ref comment 11, bug#608379) ; except users are not put in the 'user' group by default when the original or subsequent users are created. Try adding your username to the group 'users'.

2.) Next is that although selinux targeted policy (selinux-policy 3.9.7-16.fc14) states that the 3 files listed below should have the context: NetworkManager_var_lib_t , they didn't in my system (maybe because I didn't force a system boot-time relabel after installing the new selinux policy - I'm not sure about whether that is supposed to be done after each update or not), they just said 'Network Manager' so I fixed this with:

sudo chcon -t NetworkManager_var_lib_t /etc/dhcp/wired-settings.conf
sudo chcon -t NetworkManager_var_lib_t /etc/dhcp/wireless-settings.conf
sudo chcon -t NetworkManager_t /etc/dhcp/manager-settings.conf  

3.) Last is that /var/log/wicd.log should have its own folder to get selinux context from, so I changed that in my system so that the log is here instead:
/var/log/wicd/wicd.log (ref bug#608378, comment#9)

All relevant information should be somewhere in bugs #608378 and #608379
As always many Thanks to Miroslav Grepl and Daniel Walsh for their infinite patience and expertise.

I hope that helps. Happy Holidays! :)
Comment 9 Miroslav Grepl 2010-12-20 13:26:07 EST
(In reply to comment #7)
> (In reply to comment #6)
> > leigh,
> > 
> > If am wrong, please reopen the bug.
> I'm still getting this on a clean install

give me some outputs

# ls -Z /etc/wicd/manager-settings.conf

# matchpathcon /etc/wicd/manager-settings.conf
Comment 10 Miroslav Grepl 2010-12-20 13:30:48 EST
> sudo chcon -t NetworkManager_var_lib_t /etc/dhcp/wired-settings.conf
> sudo chcon -t NetworkManager_var_lib_t /etc/dhcp/wireless-settings.conf
> sudo chcon -t NetworkManager_t /etc/dhcp/manager-settings.conf  

don't use domain type for files. I mean 

# chcon -t NetworkManager_t /etc/dhcp/manager-settings.conf

Also could you give me labels of these files after reboot?
Comment 11 Alexander Hunt 2010-12-20 15:34:25 EST
Hi Miroslav, Almost time to ditch work; You should be starting holidays! lol...

I realized today I made an error when I wrote:
> sudo chcon -t NetworkManager_var_lib_t /etc/dhcp/wired-settings.conf
> sudo chcon -t NetworkManager_var_lib_t /etc/dhcp/wireless-settings.conf
> sudo chcon -t NetworkManager_t /etc/dhcp/manager-settings.conf  
all 3 of those files were changed to NetworkManager_var_lib_t, not just the first two. Sorry about that; I started working on your request and noticed the error.

I'd like to re-iterate item #2 of comment#8 in regards to you saying: "don't use domain type for files"; while I'm not sure which portion of the context NetworkManager_var_lib_t is the domain, I used that info because the policy says it should be that way (unless I'm misunderstanding the use of the software). I found this info in: SELinux Administration, the "File Labelling" section, sorted by SELinux File Type, scroll down to NetworkManager contexts, and look at /etc/wicd/manager-settings,  wired-settings and wireless-settings. I know those files aren't in the etc/wicd folder (and they wont work there I tried it) but they are the files that wicd uses. Anyway all that is just a point of reference.

Here's the info: I checked those 3 files before doing any changes.
This is the context checked with root (sudo nautilus; file properties /permissions): System Configuration   (That's all it says oddly enough)

This is the context checked with my user account (nautilus; file properties/ permissions): system_u:object_r:etc_t:SystemLow  (Better info there)
It is the same context for all 3 of these files: /etc/dhcp/manager-settings.conf, etc/dhcp/wired-settings.conf, and wireless-settings.conf

They were the same after a shutdown/restart.

Then as per your request in comment 10;

SELinux admin; put system in permissive mode temporarily to change file context to: NetworkManager_t 
I changed the context on all 3 files.
Changed back to enforcing mode.
Shutdown and start-up

wicd did not start due to selinux blocking process; 
selinux alert: The source process /usr/bin/python
				Attempted this access: setattr
				On this file: manager-settings.conf

file context on all 3 is now : system_u:object_r:NetworkManager_t:SystemLow

I had to change /etc/dhcp/manager-setting.conf back to chcon -t NetworkManager_var_lib_t so that wicd sevice could start again. 
I left the context of /etc/dhcp/wired-settings.conf and wireless-settings.conf at NetworkManager_t and wicd is working fine with those 2 in the new context...

I thought I'd throw in the info that you asked for from Leigh in case that would be of any use to you. (there's a typo in your request too, manager-settings is in /etc/dhcp, not /etc/wicd)

1.) ls -Z /etc/dhcp/manager-settings.conf
-rw-------. root root system_u:object_r:NetworkManager_var_lib_t:SystemLow /etc/dhcp/manager-settings.conf

2.) matchpathcon /etc/wicd/manager-settings.conf
/etc/wicd/manager-settings.conf	system_u:object_r:NetworkManager_var_lib_t:SystemLow

(As you will notice these were just done after I changed the context back to what allows wicd to work)

I hope this info tells you something. I'm leaving for Christmas holidays now, and I will be checking email less often, but will have full access to my computer. If you need any more info or anything, don't hesitate to ask.
Best wishes for the holidays Miroslav, and as always: Thank you very much for sorting this stuff out.
Best regards,
Comment 12 Alexander Hunt 2011-01-11 03:10:56 EST
Hi All,
I thought I'd put in an end-note here. I bought myself a new hard-drive for Christmas, installed it, then installed F14-x86_64 from a fresh download of the DVD iso. I had no SELinux alerts of any kind until the system decided it needed a relabel a couple days ago, which was an easy fix with info from the new ui. Anyway I just wanted to say with a fresh install there doesn't seem to be any labelling problems with Wicd.
Best wishes for all for the New Year and as always Many Thanks go out to Miroslav G. and Daniel W.
Comment 13 Miroslav Grepl 2011-05-09 15:35:00 EDT
Please reopen a new bug if this still happens. Thank you.

Note You need to log in before you can comment on or make changes to this bug.