Bug 693581 - SELinux is preventing NetworkManager from 'read' accesses on the file n2.
SELinux is preventing NetworkManager from 'read' accesses on the file n2.
Status: CLOSED DUPLICATE of bug 693247
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
x86_64 Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
: 693579 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2011-04-04 20:19 EDT by Luya Tshimbalanga
Modified: 2011-04-07 14:58 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-04-07 14:58:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Luya Tshimbalanga 2011-04-04 20:19:19 EDT
Description of problem:

*****  Plugin catchall_labels (83.8 confidence) suggests  ********************

If you want to allow NetworkManager to have read access on the n2 file
Then you need to change the label on n2
# semanage fcontext -a -t FILE_TYPE 'n2'
where FILE_TYPE is one of the following: lwregd_t, mysqld_t, kdumpgui_t, oddjob_t, openct_t, svc_start_t, httpd_bugzilla_script_t, fail2ban_t, postfix_bounce_t, passwd_t, selinux_config_t, qdiskd_t, racoon_t, soundd_t, telepathy_stream_engine_t, updpwd_t, httpd_smokeping_cgi_script_t, vnstat_t, nx_server_t, xguest_t, ypbind_t, ypserv_t, zabbix_t, abrt_t, policykit_auth_t, acct_t, ssh_keygen_t, bin_t, brctl_t, cert_t, cgred_t, chfn_t, ciped_t, clamd_t, clogd_t, cupsd_t, dccd_t, dhcpd_t, dictd_t, piranha_pulse_t, drbd_t, ftpd_t, gpsd_t, gssd_t, guest_t, hald_t, howl_t, hplip_t, httpd_t, sysadm_su_t, innd_t, kdump_t, klogd_t, lircd_t, lpd_t, lpr_t, lwiod_t, lwsmd_t, hald_mac_t, iptables_t, mount_t, mpd_t, munin_t, named_t, nfsd_t, nmbd_t, nscd_t, git_shell_t, nslcd_t, ntop_t, ntpd_t, pcscd_t, pingd_t, pppd_t, pptp_t, psad_t, ptal_t, qpidd_t, radvd_t, rhgb_t, cachefilesd_t, rpcd_t, courier_sqwebmail_t, rshd_t, rssh_t, postfix_cleanup_t, sftpd_t, slapd_t, smbd_t, snmpd_t, snort_t, spamd_t, squid_t, ssh_t, sshd_t, sssd_t, postfix_showq_t, staff_t, svirt_t, swat_t, tcpd_t, tcsd_t, tftpd_t, tgtd_t, hostname_t, tor_t, tuned_t, ulogd_t, shorewall_t, uml_t, showmount_t, user_t, usr_t, uucpd_t, uux_t, virsh_t, telepathy_gabble_t, xauth_t, xend_t, ypxfr_t, eventlogd_t, nagios_system_plugin_t, postfix_qmgr_t, postfix_virtual_t, postfix_smtp_t, prelude_audisp_t, dovecot_deliver_t, ifconfig_t, courier_authdaemon_t, afs_vlserver_t, consolekit_var_run_t, fsdaemon_t, openvpn_exec_t, qmail_clean_t, qmail_local_t, qmail_smtpd_t, qmail_start_t, sandbox_xserver_t, jabberd_router_t, policykit_resolve_t, telepathy_sofiasip_t, systemd_notify_t, winbind_helper_t, amanda_t, amavis_t, device_t, load_policy_t, nut_upsmon_t, sssd_public_t, locale_t, locate_t, cupsd_config_t, logadm_t, mcelog_t, nagios_t, hald_keymap_t, httpd_helper_t, varnishd_t, rtkit_daemon_t, setkey_t, sysadm_t, tvtime_t, tzdata_t, vmware_t, webadm_t, afs_t, aiccu_t, aide_t, alsa_t, amtu_t, apm_t, avahi_t, boinc_t, canna_t, ccs_t, cdcc_t, sandbox_min_t, sandbox_net_t, crack_t, sandbox_web_t, cvs_t, user_seunshare_t, cyrus_t, xguest_java_t, dbadm_t, xguest_mono_t, dccm_t, dhcpc_t, dmesg_t, etc_t, exim_t, logwatch_mail_t, abrt_var_run_t, games_t, getty_t, gpg_t, gpm_t, ipsec_t, irc_t, irssi_t, java_t, cupsd_lpd_t, mock_t, mrtg_t, ndc_t, nrpe_t, pads_t, pam_t, postfix_map_t, ping_t, remote_login_t, postfix_postdrop_t, postfix_postqueue_t, proc_t, qemu_t, quota_t, rdisc_t, ricci_t, rsync_t, automount_t, rwho_t, spamc_t, ddclient_t, src_t, sysfs_t, fetchmail_t, vlock_t, vpnc_t, netlogond_t, xdm_t, puppetmaster_t, xfs_t, zebra_t, udev_exec_t, system_mail_t, setroubleshoot_fixit_t, staff_dbusd_t, httpd_squid_script_t, postfix_pipe_t, ifconfig_exec_t, restorecond_t, httpd_nagios_script_t, xdm_dbusd_t, gpg_helper_t, staff_ssh_agent_t, systemd_passwd_agent_t, NetworkManager_exec_t, afs_fsserver_t, portreserve_t, cpufreqselector_t, readahead_t, prelink_cron_system_t, named_cache_t, sysadm_ssh_agent_t, system_cronjob_var_lib_t, cachefiles_kernel_t, httpd_dirsrvadmin_script_t, staff_screen_t, system_dbusd_t, entropyd_t, git_system_t, httpd_suexec_t, xenstored_t, abrt_helper_t, sandbox_min_client_t, policykit_var_lib_t, rssh_chroot_helper_t, usernetctl_t, certwatch_t, sysctl_crypto_t, updfstab_t, cpuspeed_t, NetworkManager_tmp_t, nagios_admin_plugin_t, user_dbusd_t, krb5_conf_t, qmail_splogger_t, xguest_dbusd_t, cups_pdf_t, firewallgui_t, freshclam_t, ajaxterm_ssh_t, postgresql_t, pppd_initrc_exec_t, utempter_t, setsebool_t, mozilla_plugin_t, courier_pcp_t, courier_pop_t, dhcp_etc_t, zarafa_server_t, keyboardd_t, matahari_hostd_t, sysadm_dbusd_t, publicfile_t, telepathy_idle_t, usbmodules_t, httpd_zarafa_script_t, sysctl_net_t, telepathy_mission_control_t, webalizer_t, nscd_exec_t, cpucontrol_t, rpm_exec_t, NetworkManager_etc_rw_t, sambagui_t, staff_seunshare_t, gconfdefaultsm_t, nx_server_ssh_t, matahari_serviced_t, certmaster_t, certmonger_t, setfiles_t, user_mail_t, cdrecord_t, sectoolm_t, udev_tbl_t, semanage_t, checkpolicy_t, httpd_mojomojo_script_t, httpd_php_t, portmap_helper_t, cobblerd_t, consoletype_t, openoffice_t, denyhosts_t, xenconsoled_t, clamscan_t, cmirrord_t, shell_exec_t, cronjob_t, memcached_t, crontab_t, dnsmasq_exec_t, xguest_openoffice_t, logrotate_mail_t, matahari_netd_t, passenger_t, systemd_tmpfiles_t, arpwatch_t, cardmgr_t, dirsrv_snmp_t, cgclear_t, dirsrvadmin_t, chronyd_t, apcupsd_t, smbcontrol_t, dhcpc_exec_t, fingerd_t, foghorn_t, gpg_web_t, abrt_t, fprintd_t, ftpdctl_t, httpd_cobbler_script_t, NetworkManager_etc_t, NetworkManager_log_t, dcerpcd_t, dovecot_t, evtchnd_t, gpg_agent_t, telepathy_msn_t, auditctl_t, jabberd_t, kadmind_t, lib_t, hddtemp_t, netlabel_mgmt_t, spamass_milter_t, oddjob_mkhomedir_t, iceauth_t, icecast_t, prelude_correlator_t, ncftool_t, openvpn_t, postgrey_t, cyphesis_t, gnomesystemmm_t, vpnc_exec_t, init_script_file_type, lockdev_t, kerneloops_t, mplayer_t, ricci_modcluster_t, varnishlog_t, httpd_w3c_validator_script_t, ipsec_mgmt_exec_t, irqbalance_t, radiusd_t, rlogind_t, roundup_t, user_openoffice_t, srvsvcd_t, httpd_user_script_t, stunnel_t, sulogin_t, svc_run_t, syslogd_t, sysstat_t, accountsd_t, nut_upsdrvctl_t, rpcbind_t, sandbox_t, portmap_t, pppd_exec_t, yppasswdd_t, pppd_etc_t, cgconfig_t, ptchown_t, vbetool_t, vdagent_t, vhostmd_t, dbusd_etc_t, vnstatd_t, zarafa_ical_t, user_home_t, user_java_t, user_mono_t, user_wine_t, winbind_t, sysadm_sudo_t, telnetd_t, usbmuxd_t, afs_ptserver_t, ipsec_mgmt_t, run_init_t, namespace_init_t, sendmail_t, afs_cache_t, abrt_helper_exec_t, httpd_mediawiki_script_t, disk_munin_plugin_t, piranha_web_t, shutdown_t, userdomain, user_screen_t, audisp_remote_t, corosync_t, dovecot_auth_t, greylist_milter_t, calamaris_t, dlm_controld_t, gfs_controld_t, staff_openoffice_t, mailman_queue_t, smbmount_t, asterisk_t, bitlbee_t, sepgsql_trusted_proc_t, vmware_host_t, checkpc_t, saslauthd_t, awstats_t, dhcpc_state_t, aisexec_t, rpm_var_cache_t, gitosis_t, ld_so_t, debugfs_t, dnsmasq_t, krb5kdc_t, sysadm_seunshare_t, hotplug_t, gpg_pinentry_t, hwclock_t, newrole_t, zos_remote_t, dcc_client_t, mozilla_t, plymouth_t, proc_net_t, procmail_t, setrans_t, traceroute_t, pegasus_t, prelude_t, privoxy_t, qemu_dm_t, staff_java_t, staff_mono_t, staff_sudo_t, staff_wine_t, wpa_cli_t, httpd_awstats_script_t, policykit_reload_t, dbadm_sudo_t, ajaxterm_t, avahi_exec_t, textrel_shlib_t, NetworkManager_var_lib_t, NetworkManager_var_run_t, qmail_send_t, piranha_fos_t, piranha_lvs_t, sandbox_x_t, httpd_apcupsd_cgi_script_t, local_login_t, hald_dccm_t, mysqld_safe_t, ricci_modservice_t, games_srv_t, ricci_modstorage_t, samba_net_t, samba_var_t, afs_bosserver_t, fail2ban_var_lib_t, httpd_nutups_cgi_script_t, hald_sonypic_t, initrc_var_run_t, boinc_project_t, nagios_mail_plugin_t, dhcpc_var_run_t, rpm_script_tmp_t, rpm_var_lib_t, amanda_recover_t, dnsmasq_initrc_exec_t, net_conf_t, chrome_sandbox_t, zarafa_spooler_t, httpd_munin_script_t, telepathy_salut_t, sysadm_passwd_t, sysadm_screen_t, nsplugin_t, zarafa_deliver_t, openvpn_etc_t, bluetooth_helper_t, dcc_dbclean_t, nut_upsd_t, staff_execmem_t, user_execmem_t, podsleuth_t, zarafa_monitor_t, etc_runtime_t, git_session_t, anon_inodefs_t, qmail_remote_t, sysctl_kernel_t, policykit_t, anon_sftpd_t, home_cert_t, httpd_sys_script_t, staff_consolehelper_t, svc_multilog_t, ricci_modclusterd_t, pppd_var_run_t, logwatch_t, mailman_cgi_t, user_cron_spool_t, pulseaudio_t, mailman_mail_t, mysqlmanagerd_t, bluetooth_t, mencoder_t, named_exec_t, netutils_t, qmail_tcp_env_t, consoletype_exec_t, plymouthd_t, smokeping_t, sandbox_x_client_t, ksmtuned_t, dkim_milter_t, mail_munin_plugin_t, admin_crontab_t, consolekit_t, httpd_prewikka_script_t, pam_console_t, zarafa_gateway_t, policykit_grant_t, logrotate_t, ricci_modlog_t, ricci_modrpm_t, setroubleshootd_t, update_modules_t, nsplugin_config_t, ld_so_cache_t, ssh_keysign_t, nagios_checkdisk_plugin_t, postfix_master_t, postfix_pickup_t, qmail_rspawn_t, uml_switch_t, regex_milter_t, qmail_inject_t, qmail_lspawn_t, firewalld_t, wireshark_t, gnomeclock_t, httpd_cvs_script_t, sandbox_net_client_t, system_munin_plugin_t, virsh_ssh_t, hald_acl_t, staff_gkeyringd_t, ntpd_initrc_exec_t, telepathy_sunshine_t, dnsmasq_var_run_t, nscd_initrc_exec_t, iptables_exec_t, postfix_local_t, postfix_smtpd_t, loadkeys_t, services_munin_plugin_t, httpd_git_script_t, nagios_services_plugin_t, smoltclient_t, courier_tcpd_t, prelude_lml_t, dmidecode_t, system_dbusd_var_lib_t, modemmanager_t, NetworkManager_t, qmail_queue_t, sandbox_web_client_t, groupadd_t, audisp_t, auditd_t, blktap_t, httpd_rotatelogs_t, chkpwd_t, afs_kaserver_t, colord_t, policykit_auth_exec_t, comsat_t, dbskkd_t, dccifd_t, dirsrv_t, fenced_t, gconfd_t, groupd_t, iscsid_t, kismet_t, kpropd_t, ktalkd_t, lsassd_t, cert_t, net_conf_t, insmod_exec_t, root_t. 
Then execute: 
restorecon -v 'n2'

*****  Plugin catchall (17.1 confidence) suggests  ***************************

If you believe that NetworkManager should be allowed read access on the n2 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep NetworkManager /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:default_t:s0
Target Objects                n2 [ file ]
Source                        NetworkManager
Source Path                   NetworkManager
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-10.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed)
                              #1 SMP Wed Mar 30 16:55:57 UTC 2011 x86_64 x86_64
Alert Count                   2
First Seen                    Mon 04 Apr 2011 04:49:50 PM PDT
Last Seen                     Mon 04 Apr 2011 04:49:50 PM PDT
Local ID                      4ea77490-3692-4538-89ad-a0c1df3f2623

Raw Audit Messages
type=AVC msg=audit(1301960990.900:8): avc:  denied  { read } for  pid=810 comm="NetworkManager" name="n2" dev=tmpfs ino=10770 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file

Hash: NetworkManager,NetworkManager_t,default_t,file,read


#============= NetworkManager_t ==============
allow NetworkManager_t default_t:file read;

audit2allow -R

#============= NetworkManager_t ==============
allow NetworkManager_t default_t:file read;

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. N/A
Actual results:

Expected results:

Additional info:
Comment 1 Miroslav Grepl 2011-04-05 08:14:57 EDT
Could you try to install the latest systemd from koji for now

Comment 2 Miroslav Grepl 2011-04-05 08:16:15 EDT
*** Bug 693579 has been marked as a duplicate of this bug. ***
Comment 3 Luya Tshimbalanga 2011-04-07 04:44:03 EDT
No impact with systemd-23.1. I am trying 24.1 version to see if that solves issue.
Comment 4 Luya Tshimbalanga 2011-04-07 14:11:41 EDT
No effect with systemd-24.1 =(
Comment 5 Luya Tshimbalanga 2011-04-07 14:51:23 EDT
Attempting to use latest koji selinux-policy and systemd still generated alert after reboot.
Comment 6 Daniel Walsh 2011-04-07 14:58:36 EDT

*** This bug has been marked as a duplicate of bug 693247 ***

Note You need to log in before you can comment on or make changes to this bug.