659932 – SELinux is preventing /usr/bin/python "rename" access on wicd.log.1.

Bug 659932 - SELinux is preventing /usr/bin/python "rename" access on wicd.log.1.

Summary: SELinux is preventing /usr/bin/python "rename" access on wicd.log.1.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	14
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	setroubleshoot_trace_hash:f3cd39139ad...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-12-04 08:52 UTC by Alexander Hunt
Modified:	2010-12-13 20:12 UTC (History)
CC List:	2 users (show)
Fixed In Version:	selinux-policy-3.9.7-16.fc14
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-12-13 20:12:58 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Alexander Hunt 2010-12-04 08:52:16 UTC

Summary:

SELinux is preventing /usr/bin/python "rename" access on wicd.log.1.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by wicd. It is not expected that this access is
required by wicd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:var_log_t:s0
Target Objects                wicd.log.1 [ file ]
Source                        wicd
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           python-2.7-8.fc14.1
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-14.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.35.9-64.fc14.x86_64 #1 SMP
                              Fri Dec 3 12:19:41 UTC 2010 x86_64 x86_64
Alert Count                   2
First Seen                    Fri 03 Dec 2010 06:04:09 PM MST
Last Seen                     Sat 04 Dec 2010 01:21:55 AM MST
Local ID                      acfc014b-59e0-4f16-ae44-c5bafede4481
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1291450915.18:26748): avc:  denied  { rename } for  pid=1742 comm="wicd" name="wicd.log.1" dev=dm-4 ino=1704646 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1291450915.18:26748): arch=c000003e syscall=82 success=yes exit=0 a0=21d8ee0 a1=20a1b30 a2=3ad05cbd80 a3=7261762f00000000 items=0 ppid=1 pid=1742 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="wicd" exe="/usr/bin/python" subj=system_u:system_r:NetworkManager_t:s0 key=(null)



Hash String generated from  catchall,wicd,NetworkManager_t,var_log_t,file,rename
audit2allow suggests:

#============= NetworkManager_t ==============
allow NetworkManager_t var_log_t:file rename;

Comment 1 Miroslav Grepl 2010-12-06 10:38:00 UTC

Have you ever started wicd by hand?

# chcon -t NetworkManager_log_t /var/log/wicd.log.1


Will fix.


Fixed in selinux-policy-3.9.7-15.fc14

Comment 2 Alexander Hunt 2010-12-06 18:33:59 UTC

Hi Miroslav,
I have started it by hand in the past, but not recently.
For some reason my computer did a relabel when I booted it last night (don't know why, I didn't set it to do so) anyway, wicd.log is labelled correctly now; "NetworkManager_log_t" instead of just  "Logfile". Installed version of Selinux is 3.9.7-14.fc14 just for informations sake.
Thank you for the help,
Best regards,
Alex

Comment 3 Alexander Hunt 2010-12-06 18:43:24 UTC

Sorry Miroslav, I forgot to mention I did: sudo restorecon -Rv /var/log/wicd 
last night to fix another of the wicd problems as per your instructions for that bug, but I can't remember which bugzilla# it was. Again, Thanks for all your work on resolving issues with wicd.
Best regards

Comment 4 Alexander Hunt 2010-12-07 00:28:31 UTC

Addendum: I changed system to enforcing mode (targeted), then shutdown and restarted, and wicd now connects the notebook to the network in Enforcing mode!
Many Thank You's to Miroslav, Daniel and anyone else who has tirelessly worked to resolve the wicd issues. 
I have never been able to run in enforcing mode in any previous version while using wicd. You have made me very happy today! My system is more secure.
Best wishes for the Holidays to you all!
Alex

Comment 5 Miroslav Grepl 2010-12-07 08:52:40 UTC

Thanks. I have better morning if I see people are happy with SELinux.

Comment 6 Fedora Update System 2010-12-10 13:54:48 UTC

selinux-policy-3.9.7-16.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-16.fc14

Comment 7 Fedora Update System 2010-12-10 20:29:12 UTC

selinux-policy-3.9.7-16.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-16.fc14

Comment 8 Fedora Update System 2010-12-13 20:11:55 UTC

selinux-policy-3.9.7-16.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.