Bug 808913 - SELinux is preventing NetworkManager from getattr access on the file /etc/sysctl.conf.
SELinux is preventing NetworkManager from getattr access on the file /etc/sys...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
16
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-01 12:38 EDT by GoinEasy9
Modified: 2012-04-21 23:38 EDT (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-3.10.0-84.fc16
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-04-21 23:38:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description GoinEasy9 2012-04-01 12:38:18 EDT
Description of problem: Recieve SELinux alert upon boot


Version-Release number of selected component (if applicable):
selinux-policy-3.10.0-80.fc16.noarch

How reproducible: Boot F16, everytime.


Steps to Reproduce:
1.Boot PC
2.
3.
  
Actual results:


Expected results:


Additional info:
I have F16 KDE running with Updates-Testine enabled.  After last update I get SELinux notification.

SELinux is preventing NetworkManager from getattr access on the file /etc/sysctl.conf.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that NetworkManager should be allowed getattr access on the sysctl.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep NetworkManager /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:system_conf_t:s0
Target Objects                /etc/sysctl.conf [ file ]
Source                        NetworkManager
Source Path                   NetworkManager
Port                          <Unknown>
Host                          fedora16dwkde
Source RPM Packages           
Target RPM Packages           initscripts-9.34.2-1.fc16.i686
Policy RPM                    selinux-policy-3.10.0-80.fc16.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora16dwkde
Platform                      Linux fedora16dwkde 3.3.0-8.fc16.i686.PAE #1 SMP
                              Thu Mar 29 18:26:34 UTC 2012 i686 i686
Alert Count                   1
First Seen                    Sun 01 Apr 2012 12:19:35 PM EDT
Last Seen                     Sun 01 Apr 2012 12:19:35 PM EDT
Local ID                      c5f812ac-c6fa-42c5-ab72-19b44bbbb667

Raw Audit Messages
type=AVC msg=audit(1333297175.322:30): avc:  denied  { getattr } for  pid=891 comm="NetworkManager" path="/etc/sysctl.conf" dev="sda2" ino=28989 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:system_conf_t:s0 tclass=file


Hash: NetworkManager,NetworkManager_t,system_conf_t,file,getattr

audit2allow

#============= NetworkManager_t ==============
allow NetworkManager_t system_conf_t:file getattr;

audit2allow -R

#============= NetworkManager_t ==============
allow NetworkManager_t system_conf_t:file getattr;


Using the workaround listed, the problem persists.  I've tried 3 times now.

Workaround used:
# grep NetworkManager /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Comment 2 GoinEasy9 2012-04-06 22:39:32 EDT
Thank you.

Although I got this error upon installation:
Updating   : selinux-policy-3.10.0-81.fc16.noarch 1/4
/usr/share/selinux/devel/include/apps/jockey.if: Syntax error on line 13111 jockey_cache_t [type=IDENTIFIER]

And upon reboot the notification persisted.  Using the workaround:
# grep NetworkManager /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Solved the problem.
Comment 3 Fedora Update System 2012-04-18 08:55:47 EDT
selinux-policy-3.10.0-84.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-84.fc16
Comment 4 GoinEasy9 2012-04-18 23:06:47 EDT
Thank You

No errors to report. Works well, on both the laptop and desktop.
Comment 5 Fedora Update System 2012-04-21 23:38:08 EDT
selinux-policy-3.10.0-84.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.