SELinux is preventing /usr/sbin/NetworkManager from using the 'sys_module' capabilities. ***** Plugin sys_module (99.5 confidence) suggests ************************* If you do not believe that /usr/sbin/NetworkManager should be attempting to modify the kernel by loading a kernel module. Then a process might be attempting to hack into your system. Do contact your security administrator and report this issue. ***** Plugin catchall (1.49 confidence) suggests *************************** If you believe that NetworkManager should have the sys_module capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep NetworkManager /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:NetworkManager_t:s0 Target Context system_u:system_r:NetworkManager_t:s0 Target Objects Unknown [ capability ] Source NetworkManager Source Path /usr/sbin/NetworkManager Port <Unknown> Host (removed) Source RPM Packages NetworkManager-0.8.2-8.git20101117.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-4.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.38-1.fc15.x86_64 #1 SMP Tue Mar 15 05:29:00 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Wed 16 Mar 2011 09:00:06 PM CET Last Seen Wed 16 Mar 2011 09:00:06 PM CET Local ID eaeb78ca-572e-420c-8d46-a8ef473c927c Raw Audit Messages type=AVC msg=audit(1300305606.783:285): avc: denied { sys_module } for pid=928 comm="NetworkManager" capability=16 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=capability type=SYSCALL msg=audit(1300305606.783:285): arch=x86_64 syscall=ioctl success=no exit=ENODEV a0=13 a1=8913 a2=7fff58056860 a3=1 items=0 ppid=1 pid=928 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null) Hash: NetworkManager,NetworkManager_t,NetworkManager_t,capability,sys_module audit2allow #============= NetworkManager_t ============== allow NetworkManager_t self:capability sys_module; audit2allow -R #============= NetworkManager_t ============== allow NetworkManager_t self:capability sys_module;
Why is networkmanager attempting to load kernel modules?
My guess is that NM did an ioctl which attempted to make the networking code upcall to userspace to load a module. In the past this required CAP_NET_ADMIN. In new kernels this requires CAP_NET_ADMIN if the module in question is named 'netdev-*'. If the module being requested is not named netdev-* is required CAP_SYS_MODULE. This is definitely NOT an SELinux policy bug. It is most likely a kernel bug for trying to autoload a module not named "netdev-*" but could be an NM bug as I don't know exactly what this syscall is....
Is there any chance you can reproduce this problem with selinux permissive and then provide the output of dmesg?
*** This bug has been marked as a duplicate of bug 684415 ***