Bug 648591 - SELinux is preventing /usr/sbin/NetworkManager from read access on the file network.
Summary: SELinux is preventing /usr/sbin/NetworkManager from read access on the file n...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: livecd-tools
Version: rawhide
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Brian Lane
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:d94ae0dd097...
: 639066 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-11-01 17:28 UTC by satellitgo
Modified: 2011-03-16 17:06 UTC (History)
15 users (show)

Fixed In Version: livecd-tools-15.5-1.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-03-12 04:39:23 UTC


Attachments (Terms of Use)

Description satellitgo 2010-11-01 17:28:01 UTC
SELinux is preventing /usr/sbin/NetworkManager from read access on the file network.

*****  Plugin file (63.0 confidence) suggests  *******************************

If this is a newly created file system.
Then you need to add labels to it.
Do
/sbin/restorecon -v network

*****  Plugin catchall_labels (31.7 confidence) suggests  ********************

If you want to allow NetworkManager to have read access on the network file
Then you need to change the label on network
Do
# semanage fcontext -a -t FILE_TYPE 'network'
where FILE_TYPE is one of the following: qmail_rspawn_t, uml_switch_t, postfix_local_t, postfix_smtpd_t, qmail_inject_t, qmail_lspawn_t, user_cron_spool_t, gnomeclock_t, httpd_cvs_script_t, services_munin_plugin_t, httpd_git_script_t, sandbox_net_client_t, system_munin_plugin_t, nagios_services_plugin_t, ntpd_initrc_exec_t, nscd_initrc_exec_t, courier_tcpd_t, iptables_exec_t, loadkeys_t, NetworkManager_t, qmail_queue_t, sandbox_web_client_t, groupadd_t, audisp_t, auditd_t, smoltclient_t, chkpwd_t, comsat_t, dbskkd_t, dccifd_t, prelude_lml_t, fenced_t, gconfd_t, dmidecode_t, groupd_t, iscsid_t, system_dbusd_var_lib_t, kismet_t, kpropd_t, ktalkd_t, lsassd_t, lwregd_t, mysqld_t, oddjob_t, modemmanager_t, openct_t, svc_start_t, fail2ban_t, passwd_t, qdiskd_t, racoon_t, soundd_t, telepathy_stream_engine_t, updpwd_t, vnstat_t, xguest_t, ypbind_t, ypserv_t, zabbix_t, abrt_t, acct_t, bin_t, brctl_t, cert_t, cgred_t, chfn_t, ciped_t, clamd_t, clogd_t, cupsd_t, dccd_t, dhcpd_t, dictd_t, ftpd_t, gpsd_t, httpd_rotatelogs_t, gssd_t, guest_t, hald_t, afs_kaserver_t, howl_t, policykit_auth_exec_t, hplip_t, httpd_t, innd_t, kdump_t, klogd_t, lircd_t, lpd_t, lpr_t, lwiod_t, lwsmd_t, mount_t, mpd_t, munin_t, named_t, kdumpgui_t, nfsd_t, nmbd_t, nscd_t, httpd_bugzilla_script_t, nslcd_t, ntop_t, ntpd_t, pcscd_t, pingd_t, postfix_bounce_t, pppd_t, pptp_t, selinux_config_t, psad_t, ptal_t, qpidd_t, radvd_t, rhgb_t, rpcd_t, httpd_smokeping_cgi_script_t, rshd_t, rssh_t, nx_server_t, sftpd_t, slapd_t, smbd_t, snmpd_t, snort_t, policykit_auth_t, spamd_t, ssh_keygen_t, squid_t, ssh_t, sshd_t, sssd_t, staff_t, svirt_t, swat_t, tcpd_t, tftpd_t, tgtd_t, tor_t, tuned_t, ulogd_t, uml_t, piranha_pulse_t, user_t, usr_t, uucpd_t, uux_t, virsh_t, xauth_t, xend_t, ypxfr_t, sysadm_su_t, hald_mac_t, iptables_t, eventlogd_t, git_shell_t, nagios_system_plugin_t, postfix_qmgr_t, postfix_smtp_t, prelude_audisp_t, cachefilesd_t, courier_sqwebmail_t, postfix_cleanup_t, courier_authdaemon_t, afs_vlserver_t, postfix_showq_t, fsdaemon_t, hostname_t, openvpn_exec_t, shorewall_t, showmount_t, telepathy_gabble_t, jabberd_router_t, policykit_resolve_t, postfix_virtual_t, winbind_helper_t, dovecot_deliver_t, ifconfig_t, load_policy_t, nut_upsmon_t, sssd_public_t, cupsd_config_t, hald_keymap_t, httpd_helper_t, rtkit_daemon_t, abrt_var_run_t, sandbox_min_t, sandbox_net_t, sandbox_web_t, qmail_clean_t, user_seunshare_t, qmail_local_t, xguest_java_t, qmail_smtpd_t, xguest_mono_t, qmail_start_t, sandbox_xserver_t, logwatch_mail_t, telepathy_sofiasip_t, amanda_t, cupsd_lpd_t, amavis_t, postfix_map_t, remote_login_t, locale_t, locate_t, logadm_t, mcelog_t, nagios_t, varnishd_t, automount_t, setkey_t, fetchmail_t, sysadm_t, tvtime_t, tzdata_t, netlogond_t, vmware_t, webadm_t, puppetmaster_t, afs_t, aiccu_t, aide_t, alsa_t, udev_exec_t, amtu_t, apm_t, avahi_t, boinc_t, canna_t, ccs_t, cdcc_t, system_mail_t, crack_t, cvs_t, cyrus_t, dbadm_t, dccm_t, dhcpc_t, dmesg_t, etc_t, exim_t, games_t, getty_t, gpg_t, httpd_squid_script_t, gpm_t, ipsec_t, irc_t, irssi_t, java_t, restorecond_t, mock_t, xdm_dbusd_t, mrtg_t, ndc_t, gpg_helper_t, nrpe_t, pads_t, pam_t, staff_ssh_agent_t, ping_t, postfix_postdrop_t, postfix_postqueue_t, proc_t, qemu_t, quota_t, portreserve_t, rdisc_t, ricci_t, rsync_t, rwho_t, spamc_t, src_t, sysfs_t, vpnc_t, xdm_t, cpufreqselector_t, xfs_t, readahead_t, zebra_t, named_cache_t, setroubleshoot_fixit_t, staff_dbusd_t, postfix_pipe_t, ifconfig_exec_t, httpd_nagios_script_t, staff_screen_t, system_dbusd_t, entropyd_t, xenstored_t, NetworkManager_exec_t, afs_fsserver_t, sandbox_min_client_t, rssh_chroot_helper_t, sysctl_crypto_t, prelink_cron_system_t, cpuspeed_t, NetworkManager_tmp_t, nagios_admin_plugin_t, krb5_conf_t, sysadm_ssh_agent_t, system_cronjob_var_lib_t, qmail_splogger_t, cachefiles_kernel_t, xguest_dbusd_t, cups_pdf_t, freshclam_t, postgresql_t, pppd_initrc_exec_t, git_system_t, httpd_suexec_t, abrt_helper_t, mozilla_plugin_t, courier_pcp_t, courier_pop_t, policykit_var_lib_t, zarafa_server_t, usernetctl_t, publicfile_t, certwatch_t, usbmodules_t, sysctl_net_t, updfstab_t, nscd_exec_t, user_dbusd_t, rpm_exec_t, firewallgui_t, sambagui_t, staff_seunshare_t, nx_server_ssh_t, certmaster_t, utempter_t, certmonger_t, setfiles_t, user_mail_t, cdrecord_t, setsebool_t, sectoolm_t, semanage_t, checkpolicy_t, dhcp_etc_t, portmap_helper_t, abrt_t, telepathy_idle_t, httpd_zarafa_script_t, cobblerd_t, telepathy_mission_control_t, consoletype_t, webalizer_t, cpucontrol_t, lib_t, xenconsoled_t, NetworkManager_etc_rw_t, clamscan_t, gconfdefaultsm_t, cmirrord_t, cronjob_t, crontab_t, dnsmasq_exec_t, logrotate_mail_t, passenger_t, udev_tbl_t, arpwatch_t, cardmgr_t, cgclear_t, chronyd_t, httpd_mojomojo_script_t, apcupsd_t, httpd_php_t, fingerd_t, gpg_web_t, fprintd_t, ftpdctl_t, httpd_cobbler_script_t, dcerpcd_t, dovecot_t, evtchnd_t, gpg_agent_t, openoffice_t, telepathy_msn_t, denyhosts_t, auditctl_t, jabberd_t, kadmind_t, hddtemp_t, spamass_milter_t, iceauth_t, icecast_t, shell_exec_t, prelude_correlator_t, ncftool_t, openvpn_t, memcached_t, postgrey_t, vpnc_exec_t, xguest_openoffice_t, init_script_file_type, lockdev_t, afs_cache_t, mplayer_t, ricci_modcluster_t, abrt_helper_exec_t, smbcontrol_t, ipsec_mgmt_exec_t, dhcpc_exec_t, irqbalance_t, radiusd_t, rlogind_t, roundup_t, srvsvcd_t, stunnel_t, sulogin_t, svc_run_t, syslogd_t, sysstat_t, NetworkManager_etc_t, NetworkManager_log_t, nut_upsdrvctl_t, rpcbind_t, sandbox_t, portmap_t, pppd_exec_t, yppasswdd_t, pppd_etc_t, ptchown_t, netlabel_mgmt_t, oddjob_mkhomedir_t, vbetool_t, vhostmd_t, vnstatd_t, zarafa_ical_t, cyphesis_t, gnomesystemmm_t, winbind_t, sysadm_sudo_t, telnetd_t, usbmuxd_t, kerneloops_t, afs_ptserver_t, varnishlog_t, httpd_w3c_validator_script_t, httpd_mediawiki_script_t, user_openoffice_t, httpd_user_script_t, accountsd_t, piranha_web_t, user_screen_t, greylist_milter_t, calamaris_t, cgconfig_t, staff_openoffice_t, mailman_queue_t, dbusd_etc_t, user_home_t, user_java_t, user_mono_t, user_wine_t, ipsec_mgmt_t, run_init_t, sendmail_t, disk_munin_plugin_t, ld_so_t, shutdown_t, userdomain, audisp_remote_t, corosync_t, dovecot_auth_t, dlm_controld_t, gfs_controld_t, smbmount_t, asterisk_t, bitlbee_t, sepgsql_trusted_proc_t, vmware_host_t, checkpc_t, saslauthd_t, awstats_t, dhcpc_state_t, aisexec_t, rpm_var_cache_t, gitosis_t, textrel_shlib_t, debugfs_t, dnsmasq_t, krb5kdc_t, sysadm_seunshare_t, hotplug_t, gpg_pinentry_t, hwclock_t, newrole_t, zos_remote_t, dcc_client_t, mozilla_t, plymouth_t, proc_net_t, procmail_t, setrans_t, rpm_script_tmp_t, traceroute_t, pegasus_t, prelude_t, privoxy_t, staff_java_t, staff_mono_t, staff_sudo_t, staff_wine_t, wpa_cli_t, httpd_awstats_script_t, policykit_reload_t, dbadm_sudo_t, ajaxterm_t, avahi_exec_t, NetworkManager_var_lib_t, NetworkManager_var_run_t, qmail_send_t, piranha_fos_t, piranha_lvs_t, sandbox_x_t, httpd_apcupsd_cgi_script_t, local_login_t, hald_dccm_t, mysqld_safe_t, ricci_modservice_t, games_srv_t, ricci_modstorage_t, samba_net_t, samba_var_t, afs_bosserver_t, httpd_nutups_cgi_script_t, hald_sonypic_t, initrc_var_run_t, boinc_project_t, nagios_mail_plugin_t, dhcpc_var_run_t, rpm_var_lib_t, amanda_recover_t, dnsmasq_initrc_exec_t, net_conf_t, chrome_sandbox_t, zarafa_spooler_t, httpd_munin_script_t, telepathy_salut_t, sysadm_passwd_t, sysadm_screen_t, nsplugin_t, zarafa_deliver_t, bluetooth_helper_t, dcc_dbclean_t, nut_upsd_t, staff_execmem_t, user_execmem_t, podsleuth_t, zarafa_monitor_t, anon_inodefs_t, qmail_remote_t, sysctl_kernel_t, policykit_t, anon_sftpd_t, home_cert_t, httpd_sys_script_t, staff_consolehelper_t, etc_runtime_t, git_session_t, svc_multilog_t, ricci_modclusterd_t, logwatch_t, fail2ban_var_lib_t, mailman_cgi_t, pulseaudio_t, mailman_mail_t, mysqlmanagerd_t, ld_so_cache_t, bluetooth_t, mencoder_t, named_exec_t, consoletype_exec_t, plymouthd_t, pppd_var_run_t, smokeping_t, ksmtuned_t, mail_munin_plugin_t, httpd_prewikka_script_t, ricci_modlog_t, netutils_t, ricci_modrpm_t, qmail_tcp_env_t, setroubleshootd_t, nsplugin_config_t, sandbox_x_client_t, dkim_milter_t, nagios_checkdisk_plugin_t, postfix_master_t, postfix_pickup_t, admin_crontab_t, consolekit_t, regex_milter_t, pam_console_t, zarafa_gateway_t, wireshark_t, policykit_grant_t, logrotate_t, virsh_ssh_t, hald_acl_t, update_modules_t, ssh_keysign_t, telepathy_sunshine_t, dnsmasq_var_run_t, root_t, insmod_exec_t. 
Then execute: 
restorecon -v 'network'


*****  Plugin catchall (6.75 confidence) suggests  ***************************

If you want to allow NetworkManager to have read access on the network file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep /usr/sbin/NetworkManager /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:file_t:s0
Target Objects                network [ file ]
Source                        NetworkManager
Source Path                   /usr/sbin/NetworkManager
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           NetworkManager-0.8.1-9.git20100831.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-7.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 2.6.36-1.fc15.i686 #1
                              SMP Thu Oct 21 04:49:22 UTC 2010 i686 i686
Alert Count                   1
First Seen                    Mon 01 Nov 2010 05:15:42 PM EDT
Last Seen                     Mon 01 Nov 2010 05:15:42 PM EDT
Local ID                      f987d539-4016-4715-9137-32b6b33e5aa5

Raw Audit Messages
type=AVC msg=audit(1288646142.648:4): avc:  denied  { read } for  pid=1293 comm="NetworkManager" name="network" dev=dm-0 ino=58459 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file

NetworkManager,NetworkManager_t,file_t,file,read
type=SYSCALL msg=audit(1288646142.648:4): arch=i386 syscall=inotify_add_watch success=yes exit=EPERM a0=f a1=2fb491 a2=8 a3=b6f03530 items=0 ppid=1 pid=1293 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
NetworkManager,NetworkManager_t,file_t,file,read

#============= NetworkManager_t ==============
allow NetworkManager_t file_t:file read;

Comment 1 Daniel Walsh 2010-11-01 17:36:01 UTC

*** This bug has been marked as a duplicate of bug 648588 ***

Comment 2 Adam Williamson 2011-02-16 06:28:36 UTC
I just hit a case of this. The bug it was marked as a dupe of is itself marked as a dupe of a CANTFIX indicating pilot error. However, the case I hit happens on boot of an F15 Alpha TC2 image; no user interaction required, you just boot up, login, and there's an SELinux denial 'SELinux is preventing /usr/sbin/NetworkManager from 'read' access on the file network'. I'm guessing the file in question is /etc/sysconfig/network , which appears to have type system_u:object_r:file_t:s0 . Is this a bug in whatever package owns/creates /etc/sysconfig/network ?

Comment 3 Adam Williamson 2011-02-16 06:29:23 UTC
on my 'dirty' rawhide system /etc/sysconfig/network has type system_u:object_r:etc_t:s0 , so there's clearly something different in the cleanly-composed live image.

Comment 4 Adam Williamson 2011-02-16 06:30:13 UTC
[root@adam Download]# rpm -qf /etc/sysconfig/network
file /etc/sysconfig/network is not owned by any package

doesn't help. I'm not sure what actually creates it.

Comment 5 Adam Williamson 2011-02-16 06:31:33 UTC
the bug this was marked as a dupe of is about macros.imgcreate , and sure enough, I have a second abrt report about that file, on clean boot of the F15 Alpha TC2 image. huh.

Comment 6 Adam Williamson 2011-02-16 06:31:42 UTC
er, selinux report, rather.

Comment 7 Adam Williamson 2011-02-16 06:32:24 UTC
Marking as an F15 Final blocker, per criterion "In most cases, there must be no SELinux 'AVC: denied' messages or abrt crash notifications on initial boot and subsequent login (see Blocker_Bug_FAQ) ".

Comment 8 Miroslav Grepl 2011-02-16 15:09:19 UTC
matchpathcon /etc/sysconfig/network
/etc/sysconfig/network	system_u:object_r:etc_t:s0

So "etc_t" label is the correct.

Looks like a bug in the tool livecd-tools which did not put the correct labels on this livecd.

Comment 9 Daniel Walsh 2011-02-16 19:48:53 UTC
file_t means no label got assigned.  So the installation process of the livecd creator is broken.

Comment 10 Brian Lane 2011-02-16 22:49:31 UTC
livecd-tools does this:

self.call(["/sbin/setfiles", "-e", "/proc", "-e", "/sys", "-e", "/dev", "-e", "/selinux", "/etc/selinux/targeted/contexts/files/file_contexts", "/"])

It also writes the /etc/sysconfig/network file, after setfiles is run. 

On the TC2 image there are 3 other files that have the file_t label:

iptables.old
ip6tables.old
system-config-firewall.old

All the files in sysconfig have the same timestamp.

It also uses lokkit to setup selinux and the firewall.

The 2/14 nightly works fine, with the correct context and livecd-tools hasn't changed this code recently.

Comment 11 Brian Lane 2011-02-17 01:01:00 UTC
This looks like a selinux bug.

build system is a F14 box with selinux=disabled, when I build a minimal livecd in a rawhide mock the context on the /etc/sysconfig/network file is incorrect as indicated in comment 2 and 3.

When I switch my system over to selinux=permissive and redo the build with no other changes the created image has the correct context set on /etc/sysconfig/network

livecd-creator processes the kickstart in the following order:

language
keyboard
timezone
auth
selinux
firewall
rootpw
services
xconfig
network
rpmmacros

The selinux step executes the setfiles command in comment 10 and in the kickstart it is set to selinux --enforcing

/etc/sysconfig/network is written by the network step. The iptables files mentioned in step 10 may be written in the firewall step, which uses lokkit to change the firewall settings.

Comment 12 Adam Williamson 2011-02-17 03:12:41 UTC
Ah. I think it's generally known that you should run live builds with selinux in permissive mode, but I don't know if we've ever considered a bug to be fixed or just worked with it...

Comment 13 Brian Lane 2011-02-17 04:39:38 UTC
The info I have is that nightly livecd's are on a machine with it set permissive (which didn't work very well for me locally, the root password wasn't cleared for one) and that TC2 being built on machines with it disabled.

Comment 14 Miroslav Grepl 2011-02-17 10:36:03 UTC
Ok, so F15 Alpha TC2 images were created with disabled SELinux which is a reason why we see these issue.

Comment 15 Bruno Wolff III 2011-02-17 11:48:06 UTC
I build images in enforcing mode. I am pretty sure I have seen changes in the past to make building live images in disabled mode work. I am less sure about enforcing mode where the policy of the live image doesn't match that of the build system, but I vaguely remember changes to make that work as well. I think that it is a bug for them to not be built properly in any particular selinux mode.

Comment 16 Bruno Wolff III 2011-02-17 11:59:55 UTC
Note, I think the reason this is broke in disabled mode is that the default labels applied when not in disabled mode hide the bug of not running setfiles after all files have been created. This would also apply to files created in post processing, so ks files that do that may need to run setfiles on files created in that step, since I think that is too late for the normal setfiles command to catch them.
I am changing the component back to livecd-tools, as I think the bug is really in that component, not selinux tools or policy.

Comment 17 Brian Lane 2011-02-17 14:47:59 UTC
I build all of mine on a host with it disabled, and don't plan on changing that so I'll see what I can do to make it work. I was thinking about this as I fell asleep last night and maybe it would be as simple as re-running setfiles after we run the post scripts. I'll give it a try today and see what happens, since I am able to reproduce the problem.

Comment 18 Bruno Wolff III 2011-02-17 15:34:26 UTC
That would probably be a reasonable approach, but you'd want to limit the directories that get checked to save on running time. based on what get's done after the first run, it should be possible to figure out a limited set of places where files might be created after the first setfiles run.

Comment 19 Brian Lane 2011-02-17 20:18:50 UTC
Ends up its even simpler, just move it to after the post scripts are run.

Comment 20 Brian Lane 2011-02-18 21:35:34 UTC
*** Bug 639066 has been marked as a duplicate of this bug. ***

Comment 21 Fedora Update System 2011-02-19 00:52:25 UTC
livecd-tools-15.5-1.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/livecd-tools-15.5-1.fc15

Comment 22 Fedora Update System 2011-02-19 02:18:03 UTC
livecd-tools-14.2-1.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/livecd-tools-14.2-1.fc14

Comment 23 Fedora Update System 2011-02-19 02:51:22 UTC
livecd-tools-15.5-1.fc15 has been pushed to the Fedora 15 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update livecd-tools'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/livecd-tools-15.5-1.fc15

Comment 24 Fedora Update System 2011-02-24 20:54:45 UTC
livecd-tools-14.2-1.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 25 Fedora Update System 2011-03-12 04:38:35 UTC
livecd-tools-15.5-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 26 Oliver Henshaw 2011-03-16 17:06:19 UTC
This seems to have fixed bug #663935 too.


Note You need to log in before you can comment on or make changes to this bug.