Bug 814775 - NetworkManager causes SELinux alerts whenever activating network connection
NetworkManager causes SELinux alerts whenever activating network connection
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: NetworkManager (Show other bugs)
16
x86_64 Linux
unspecified Severity medium
: ---
: ---
Assigned To: Dan Williams
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-20 11:56 EDT by James
Modified: 2012-04-26 10:47 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-04-26 10:47:15 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description James 2012-04-20 11:56:51 EDT
The latest update now causes frequent SELinux alerts. The alerts are all the same:

SELinux is preventing NetworkManager from read access on the file /etc/sysctl.conf.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that NetworkManager should be allowed read access on the sysctl.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep NetworkManager /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:system_conf_t:s0
Target Objects                /etc/sysctl.conf [ file ]
Source                        NetworkManager
Source Path                   NetworkManager
Port                          <Unknown>
Source RPM Packages           
Target RPM Packages           initscripts-9.34.2-1.fc16.x86_64
Policy RPM                    selinux-policy-3.10.0-80.fc16.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing





This happens whenever network connectivity is established: booting, docking or manual network enable. This started happening after the following updates:

kernel 3.3.2.1.fc16
NetworkManager 1:0.9.4.2.git20120403.fc16
NetworkManager-glib
NetworkManager-gnome
NetworkManager-gtk 
kernel-headers 3.3.2.1.fc16
Comment 1 Paul Lipps 2012-04-21 16:52:33 EDT
Same issue here. I tried relabeling the filesystem, issue remains.

SELinux is preventing /usr/sbin/NetworkManager from read access on the file /etc/sysctl.conf.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that NetworkManager should be allowed read access on the sysctl.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep NetworkManager /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:system_conf_t:s0
Target Objects                /etc/sysctl.conf [ file ]
Source                        NetworkManager
Source Path                   /usr/sbin/NetworkManager
Port                          <Unknown>
Host                          eeepc
Source RPM Packages           NetworkManager-0.9.4-2.git20120403.fc16.i686
Target RPM Packages           initscripts-9.34.2-1.fc16.i686
Policy RPM                    selinux-policy-3.10.0-80.fc16.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     eeepc
Platform                      Linux eeepc 3.3.2-1.fc16.i686.PAE #1 SMP Sat Apr
                              14 00:50:11 UTC 2012 i686 i686
Alert Count                   1
First Seen                    Sat 21 Apr 2012 02:17:56 PM CDT
Last Seen                     Sat 21 Apr 2012 02:17:56 PM CDT
Local ID                      ad3324d1-295b-4526-a83e-20176b95ccdd

Raw Audit Messages
type=AVC msg=audit(1335035876.706:112): avc:  denied  { read } for  pid=866 comm="NetworkManager" name="sysctl.conf" dev="dm-1" ino=2491204 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:system_conf_t:s0 tclass=file


type=SYSCALL msg=audit(1335035876.706:112): arch=i386 syscall=open success=no exit=EACCES a0=81159d0 a1=8000 a2=0 a3=0 items=0 ppid=1 pid=866 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)

Hash: NetworkManager,NetworkManager_t,system_conf_t,file,read

audit2allow

#============= NetworkManager_t ==============
allow NetworkManager_t system_conf_t:file read;

audit2allow -R

#============= NetworkManager_t ==============
allow NetworkManager_t system_conf_t:file read;
Comment 2 Paul Lipps 2012-04-22 14:26:13 EDT
It seems the just pushed selinux-policy-3.10.0-84.fc16.noarch and selinux-policy-targeted-3.10.0-84.fc16.noarch resolved this issue for me.
Comment 3 James 2012-04-26 10:47:15 EDT
As of 4/25/2012, this has been resolved for me as well.

Note You need to log in before you can comment on or make changes to this bug.