Description of problem: SELinux denials on Fedora 17 after installing blueman and enabling Network Access Point service (blueman-services -> Network Access Point) with dnsmasq. Denial 1/25 Additional info: libreport version: 2.0.18 kernel: 3.6.6-1.fc17.i686.PAE description: :SELinux is preventing /usr/bin/python2.7 from 'module_request' accesses on the system . : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that python2.7 should be allowed module_request access on the system by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep blueman-mechani /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:blueman_t:s0-s0:c0.c1023 :Target Context system_u:system_r:kernel_t:s0 :Target Objects [ system ] :Source blueman-mechani :Source Path /usr/bin/python2.7 :Port <Inconnu> :Host (removed) :Source RPM Packages python-2.7.3-7.2.fc17.i686 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-159.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.6.6-1.fc17.i686.PAE #1 SMP Mon : Nov 5 22:05:54 UTC 2012 i686 i686 :Alert Count 1 :First Seen 2012-11-18 15:14:18 CET :Last Seen 2012-11-18 15:14:18 CET :Local ID bbe2b80a-4e70-4cd4-a290-7dc7e80631c8 : :Raw Audit Messages :type=AVC msg=audit(1353248058.895:65): avc: denied { module_request } for pid=1403 comm="blueman-mechani" kmod="bridge" scontext=system_u:system_r:blueman_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=system : : :type=AVC msg=audit(1353248058.895:65): avc: denied { net_admin } for pid=1403 comm="blueman-mechani" capability=12 scontext=system_u:system_r:blueman_t:s0-s0:c0.c1023 tcontext=system_u:system_r:blueman_t:s0-s0:c0.c1023 tclass=capability : : :type=SYSCALL msg=audit(1353248058.895:65): arch=i386 syscall=ioctl success=yes exit=0 a0=8 a1=89a0 a2=b7142db4 a3=8 items=0 ppid=1 pid=1403 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=blueman-mechani exe=/usr/bin/python2.7 subj=system_u:system_r:blueman_t:s0-s0:c0.c1023 key=(null) : :Hash: blueman-mechani,blueman_t,kernel_t,system,module_request : :audit2allow : :#============= blueman_t ============== :#!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules' : :allow blueman_t kernel_t:system module_request; :allow blueman_t self:capability net_admin; : :audit2allow -R : :#============= blueman_t ============== :#!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules' : :allow blueman_t kernel_t:system module_request; :allow blueman_t self:capability net_admin; :
Created attachment 647186 [details] File: type
Created attachment 647187 [details] File: hashmarkername
Created attachment 647201 [details] Denials 2 to 25/25
Added fixes. commit e313ee760e3ebd5e2abe991a9e003398d20bb121 Author: Miroslav Grepl <mgrepl> Date: Mon Nov 19 12:20:05 2012 +0100 Allow enabling Network Access Point service using blueman
selinux-policy-3.10.0-161.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-161.fc17
Created attachment 649235 [details] A few more AVCs (with selinux-policy-3.10.0-161.fc17) selinux-policy-3.10.0-161.fc17 fixes some AVCs, but many remains
So this looks like blueman is executing ifconfig, dnsmasq and iptables, Do you know which apps it is executing first? It looks like blueman is bringing up the network.
I just checked in 8883bdb341ee14ba0de9bb3390b87b1e83db05ae to F18, which should allow this. Not sure which process created the /run/dnsmasq.pan1.pid file.
Package selinux-policy-3.10.0-161.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-161.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-18787/selinux-policy-3.10.0-161.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-161.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
I do confirm that this problem persists with selinux-policy up to 3.10.0-166.fc17 (included). Here are audit2allow auto-generated rules for the remaining missing policies: module blueman 1.0; require { type var_run_t; type iptables_exec_t; type sysctl_net_t; type ifconfig_exec_t; type blueman_t; type proc_net_t; type dnsmasq_exec_t; class capability net_raw; class dir { write read search open add_name }; class file { execute read create execute_no_trans write getattr open }; class rawip_socket { getopt create setopt }; } #============= blueman_t ============== allow blueman_t dnsmasq_exec_t:file execute_no_trans; #!!!! This avc is allowed in the current policy allow blueman_t dnsmasq_exec_t:file { read execute open }; allow blueman_t ifconfig_exec_t:file { read execute open execute_no_trans }; allow blueman_t iptables_exec_t:file { read execute open execute_no_trans }; allow blueman_t proc_net_t:file read; allow blueman_t self:capability net_raw; allow blueman_t self:rawip_socket { getopt create setopt }; allow blueman_t sysctl_net_t:dir { read search open }; #!!!! The source type 'blueman_t' can write to a 'file' of the following types: # blueman_var_lib_t, root_t allow blueman_t sysctl_net_t:file { write getattr open }; #!!!! The source type 'blueman_t' can write to a 'dir' of the following types: # var_lib_t, blueman_var_lib_t, root_t allow blueman_t var_run_t:dir { write add_name }; #!!!! The source type 'blueman_t' can write to a 'file' of the following types: # blueman_var_lib_t, root_t allow blueman_t var_run_t:file { write read create open getattr };
These are different. I am backporting fixes from F18.
commit 7c6d9f3278d7a24f78d8ad2a813c5f784b97b6cb Author: Miroslav Grepl <mgrepl> Date: Mon Feb 4 12:14:21 2013 +0100 Backport blueman policy from F18