Bug 962852 - Name change for NM DHCP helper
Summary: Name change for NM DHCP helper
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 19
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-05-14 15:04 UTC by Dan Williams
Modified: 2013-05-30 03:34 UTC (History)
1 user (show)

Fixed In Version: selinux-policy-3.12.1-47.fc19
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-05-30 03:34:33 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Dan Williams 2013-05-14 15:04:31 UTC
F19+

We're changing the name of the helper that NetworkManager tells dhclient to run, so instead of:

%{_libexecdir}/nm-dhcp-client.action

the new name/location is:

%{_libexecdir}/nm-dhcp-helper

we haven't pushed this change into Fedora yet, but we'd like to get the selinux policy updated before we do that.  Though can we keep both executables in the rules for now so the change goes smoothly?   Thanks!

Comment 1 Miroslav Grepl 2013-05-15 10:36:49 UTC
$ matchpathcon /usr/libexec/nm-dhcp-client.action 
/usr/libexec/nm-dhcp-client.action	system_u:object_r:bin_t:s0

$ matchpathcon /usr/libexec/nm-dhcp-helper
/usr/libexec/nm-dhcp-helper	system_u:object_r:bin_t:s0

so it should be OK. But thank you for the bug.

Comment 2 Dan Williams 2013-05-16 15:38:19 UTC
Sorry for re-opening; one additional note.  The new helper talks to NM via a private dbus socket, so I get these AVCs which I failed to report before:

[167421.436171] type=1400 audit(1368718001.841:132): avc:  denied  { connectto } for  pid=9551 comm="nm-dhcp-helper" path="/run/NetworkManager/private-dhcp" scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
[167712.650632] type=1400 audit(1368718293.055:133): avc:  denied  { write } for  pid=9664 comm="nm-dhcp-helper" name="private-dhcp" dev="tmpfs" ino=2871306 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:NetworkManager_var_run_t:s0 tclass=sock_file

Now obviously NM is running in "unconfined_t" because I'm running a development copy directly from my source directory.  Are these AVCs only showing because I'm running that unconfined devel copy, or do we need to do something in the policy to allow nm-dhcp-helper to access /run/NetworkManager/private-dhcp?

Thanks!

Comment 3 Miroslav Grepl 2013-05-16 19:42:28 UTC
Yes, has been added.

commit 5552a51568c3305837922503124fb39002a5df36
Author: Miroslav Grepl <mgrepl>
Date:   Thu May 16 13:53:39 2013 +0200

    Add networkmanager_stream_connect()

Comment 4 Fedora Update System 2013-05-29 14:20:37 UTC
selinux-policy-3.12.1-47.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-47.fc19

Comment 5 Fedora Update System 2013-05-29 17:47:30 UTC
Package selinux-policy-3.12.1-47.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-47.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-9565/selinux-policy-3.12.1-47.fc19
then log in and leave karma (feedback).

Comment 6 Fedora Update System 2013-05-30 03:34:33 UTC
selinux-policy-3.12.1-47.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.