Hide Forgot
SELinux is preventing /usr/sbin/NetworkManager from 'execute_no_trans' accesses on the file /usr/sbin/nscd. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that NetworkManager should be allowed execute_no_trans access on the nscd file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep NetworkManager /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:NetworkManager_t:s0 Target Context system_u:object_r:textrel_shlib_t:s0 Target Objects /usr/sbin/nscd [ file ] Source NetworkManager Source Path /usr/sbin/NetworkManager Port <Unknown> Host (removed) Source RPM Packages NetworkManager-0.8.2-6.git20101117.fc15 Target RPM Packages nscd-2.13.90-1 Policy RPM selinux-policy-3.9.13-9.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.38-0.rc3.git4.1.fc15.i686 #1 SMP Sat Feb 5 02:32:55 UTC 2011 i686 i686 Alert Count 1 First Seen Sat 05 Feb 2011 10:31:12 AM MST Last Seen Sat 05 Feb 2011 10:31:12 AM MST Local ID f6c24074-6696-4243-a965-9ae7cdbc3d72 Raw Audit Messages type=AVC msg=audit(1296927072.974:63): avc: denied { execute_no_trans } for pid=2091 comm="NetworkManager" path="/usr/sbin/nscd" dev=dm-1 ino=29273 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:textrel_shlib_t:s0 tclass=file type=SYSCALL msg=audit(1296927072.974:63): arch=i386 syscall=execve success=no exit=EACCES a0=9ed4960 a1=9ed4890 a2=9ea48c0 a3=9ed4890 items=0 ppid=2019 pid=2091 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null) Hash: NetworkManager,NetworkManager_t,textrel_shlib_t,file,execute_no_trans audit2allow #============= NetworkManager_t ============== allow NetworkManager_t textrel_shlib_t:file execute_no_trans; audit2allow -R #============= NetworkManager_t ============== allow NetworkManager_t textrel_shlib_t:file execute_no_trans;
Any idea why '/usr/sbin/nscd' is labeled as textrel_shlib_t? Did you setup it? Does # restorecon -R -v /usr/sbin/nscd fix the label?
In Rawhide right now there is a bug that ntpd is causing execmod access. ntpd needs to be rebuilt, using the newere glibc.
(In reply to comment #1) > Any idea why '/usr/sbin/nscd' is labeled as textrel_shlib_t? Yes, because I (blindly) followed advice given by setroubleshoot regarding how to "fix" ncsd demanding execmod access (that is, there were two options; one was changing the label of ncsd to textrel_shlib_t, which I followed because it was on top, and another which I did not follow of adding a rule to avoid the execmod audit message). I have since reverted the label change (changing to textrel_shlib_t was a worse cure than the original disease); but maybe this points to a bug in the setroubleshoot for having provided that suggestion in the first place?
Yes I agree that cure was worse then the disease. I will look at the plugin. The plugin should probably check the existin label and only suggest the fix if the label is lib_t.
The plugin is fixed to only fire against lib_t in setroubleshoot-plugins-3.0.15.