Bug 799591 - SELinux is preventing NetworkManager from 'read' access on the file /etc/sysctl.conf.
SELinux is preventing NetworkManager from 'read' access on the file /etc/sysc...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
16
All Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:49eca6fbf6729d777526d53aace...
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-03 04:29 EST by Nicolas Mailhot
Modified: 2012-04-22 20:21 EDT (History)
147 users (show)

See Also:
Fixed In Version: selinux-policy-3.10.0-84.fc16
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-04-21 23:34:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Nicolas Mailhot 2012-03-03 04:29:21 EST
libreport version: 2.0.8
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.3.0-0.rc5.git3.1.fc18.x86_64
reason:         SELinux is preventing /usr/sbin/NetworkManager from 'read' accesses on the fichier /etc/sysctl.conf.
time:           sam. 03 mars 2012 10:29:07 CET

description:
:SELinux is preventing /usr/sbin/NetworkManager from 'read' accesses on the fichier /etc/sysctl.conf.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that NetworkManager should be allowed read access on the sysctl.conf file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep NetworkManager /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:NetworkManager_t:s0
:Target Context                system_u:object_r:system_conf_t:s0
:Target Objects                /etc/sysctl.conf [ file ]
:Source                        NetworkManager
:Source Path                   /usr/sbin/NetworkManager
:Port                          <Inconnu>
:Host                          (removed)
:Source RPM Packages           NetworkManager-0.9.3.995-0.4.git20120302.fc18.x86_
:                              64
:Target RPM Packages           initscripts-9.34-3.fc17.x86_64
:Policy RPM                    selinux-policy-3.10.0-94.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.3.0-0.rc5.git3.1.fc18.x86_64 #1
:                              SMP Wed Feb 29 21:26:31 UTC 2012 x86_64 x86_64
:Alert Count                   15
:First Seen                    ven. 02 mars 2012 23:01:28 CET
:Last Seen                     ven. 02 mars 2012 23:05:55 CET
:Local ID                      79b39d04-c0a0-4edc-8ec1-6551b68bbb6b
:
:Raw Audit Messages
:type=AVC msg=audit(1330725955.649:220): avc:  denied  { read } for  pid=4438 comm="NetworkManager" name="sysctl.conf" dev="dm-1" ino=25451 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:system_conf_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1330725955.649:220): arch=x86_64 syscall=open success=no exit=EACCES a0=4c6c82 a1=0 a2=666e6f a3=11 items=0 ppid=1 pid=4438 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)
:
:Hash: NetworkManager,NetworkManager_t,system_conf_t,file,read
:
:audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
:
:
:audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
:
:
Comment 1 Miroslav Grepl 2012-03-05 04:15:41 EST
commit c15c9a6e24aebb00db8f5ffeaa982e3162320d92
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Mon Mar 5 11:14:24 2012 +0000

    NM reads sysctl.conf
Comment 2 Adam Williamson 2012-03-16 18:48:26 EDT
Proposing as Final blocker, criterion "In most cases, there must be no SELinux 'AVC: denied' messages or abrt crash notifications on initial boot and subsequent login" - this happens just on connecting to the network.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 3 Adam Williamson 2012-03-16 18:49:06 EDT
also proposing as NTH for Beta, it would be nice to avoid getting seven billion reports of this from the Beta release. Miroslav / Dan, can you do an selinux-policy build which fixes this and submit it as an F17 update?
Comment 4 Miroslav Grepl 2012-03-19 10:41:12 EDT
Sure, I am going to do it today.
Comment 5 Fedora Update System 2012-03-19 13:55:20 EDT
selinux-policy-3.10.0-103.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-103.fc17
Comment 6 Fedora Update System 2012-03-20 02:08:23 EDT
Package selinux-policy-3.10.0-104.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-104.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-4248/selinux-policy-3.10.0-104.fc17
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2012-03-21 14:54:14 EDT
selinux-policy-3.10.0-104.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Luke Macken 2012-04-03 00:15:35 EDT
I'm hitting this on F16 as well.
Comment 9 Miroslav Grepl 2012-04-03 01:58:16 EDT
It has been backported to F16. I am going to do a new F16 update these days.
Comment 10 Adam Williamson 2012-04-18 09:26:25 EDT
Re-opening for F16. I'm hitting it too and it's two weeks since mgrepl said he'd do an update.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 11 Simon Lewis 2012-04-19 13:06:14 EDT
The is happening on Fc16 x86_64 since kde was upgraded to 4.8.2 and the kernel was updated to 3.3.2...
Comment 12 Miroslav Grepl 2012-04-20 03:51:23 EDT
It has been fixed.
Comment 13 Fedora Update System 2012-04-20 03:56:32 EDT
selinux-policy-3.10.0-84.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-84.fc16
Comment 14 Adam Williamson 2012-04-20 16:53:07 EDT
Dropping 17 NTH and Blocker status/nominations, as the issue is fixed in 17 and was re-opened for 16.
Comment 15 Michael Convey 2012-04-21 17:27:09 EDT
I just did a softwar update today and got this error when I connected to the internet via Android 4.0 Portable WiFi hotspot (Verizon Galaxy Nexus): 


SELinux is preventing NetworkManager from read access on the file /etc/sysctl.conf.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that NetworkManager should be allowed read access on the sysctl.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep NetworkManager /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:system_conf_t:s0
Target Objects                /etc/sysctl.conf [ file ]
Source                        NetworkManager
Source Path                   NetworkManager
Port                          <Unknown>
Host                          XXXXXXXXXXX
Source RPM Packages           
Target RPM Packages           initscripts-9.34.2-1.fc16.i686
Policy RPM                    selinux-policy-3.10.0-80.fc16.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     XXXXXXXXXXX
Platform                      Linux XXXXXXXXXXX 3.3.2-1.fc16.i686.PAE #1 SMP
                              Sat Apr 14 00:50:11 UTC 2012 i686 i686
Alert Count                   6
First Seen                    Sat 21 Apr 2012 04:25:38 AM PDT
Last Seen                     Sat 21 Apr 2012 02:13:32 PM PDT
Local ID                      1a9dcf65-36d6-4802-bf1c-7f46b40ab142

Raw Audit Messages
type=AVC msg=audit(1335042812.142:50): avc:  denied  { read } for  pid=800 comm="NetworkManager" name="sysctl.conf" dev="dm-1" ino=525142 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:system_conf_t:s0 tclass=file


Hash: NetworkManager,NetworkManager_t,system_conf_t,file,read

audit2allow

#============= NetworkManager_t ==============
allow NetworkManager_t system_conf_t:file read;

audit2allow -R

#============= NetworkManager_t ==============
allow NetworkManager_t system_conf_t:file read;
Comment 16 Fedora Update System 2012-04-21 23:34:50 EDT
selinux-policy-3.10.0-84.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Mr. Meval 2012-04-22 10:20:16 EDT
Still causing this. I'll and it's not activating abrt for some reason. I'll post another bug

SELinux is preventing /sbin/dhclient from read access on the file nm-dhclient-em1.conf.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that dhclient should be allowed read access on the nm-dhclient-em1.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep dhclient /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:var_run_t:s0
Target Objects                nm-dhclient-em1.conf [ file ]
Source                        dhclient
Source Path                   /sbin/dhclient
Port                          <Unknown>
Host                          tower
Source RPM Packages           dhclient-4.2.3-6.P2.fc16.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-84.fc16.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     tower
Platform                      Linux tower 3.3.2-1.fc16.x86_64 #1 SMP Sat Apr 14
                              00:31:23 UTC 2012 x86_64 x86_64
Alert Count                   6
First Seen                    Sat 21 Apr 2012 09:48:46 PM EDT
Last Seen                     Sun 22 Apr 2012 10:19:27 AM EDT
Local ID                      32de1171-7287-4dc7-935b-2f21dd299f16

Raw Audit Messages
type=AVC msg=audit(1335104367.301:317): avc:  denied  { read } for  pid=23295 comm="dhclient" name="nm-dhclient-em1.conf" dev="tmpfs" ino=2523954 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file


type=SYSCALL msg=audit(1335104367.301:317): arch=x86_64 syscall=open success=no exit=EACCES a0=7fffd887a85f a1=80000 a2=7f84211e8320 a3=38 items=0 ppid=23283 pid=23295 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=7 comm=dhclient exe=/sbin/dhclient subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null)

Hash: dhclient,dhcpc_t,var_run_t,file,read

audit2allow

#============= dhcpc_t ==============
allow dhcpc_t var_run_t:file read;

audit2allow -R

#============= dhcpc_t ==============
allow dhcpc_t var_run_t:file read;
Comment 18 Miroslav Grepl 2012-04-22 14:45:27 EDT
For now just execute

# restorecon -R -v /var/run/nm-dhclient*

I added fixes to make sure these files are labeled correctly.
Comment 19 Mr. Meval 2012-04-22 20:21:11 EDT
Ok, it does require a reboot. I assumed just killing the programs running that and then rerunning the program would work. After finally giving up and rebooting it worked. Thanks.

Note You need to log in before you can comment on or make changes to this bug.