Bug 962852 - Name change for NM DHCP helper
Name change for NM DHCP helper
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
: Reopened
Depends On:
  Show dependency treegraph
Reported: 2013-05-14 11:04 EDT by Dan Williams
Modified: 2013-05-29 23:34 EDT (History)
1 user (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-47.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-05-29 23:34:33 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Dan Williams 2013-05-14 11:04:31 EDT

We're changing the name of the helper that NetworkManager tells dhclient to run, so instead of:


the new name/location is:


we haven't pushed this change into Fedora yet, but we'd like to get the selinux policy updated before we do that.  Though can we keep both executables in the rules for now so the change goes smoothly?   Thanks!
Comment 1 Miroslav Grepl 2013-05-15 06:36:49 EDT
$ matchpathcon /usr/libexec/nm-dhcp-client.action 
/usr/libexec/nm-dhcp-client.action	system_u:object_r:bin_t:s0

$ matchpathcon /usr/libexec/nm-dhcp-helper
/usr/libexec/nm-dhcp-helper	system_u:object_r:bin_t:s0

so it should be OK. But thank you for the bug.
Comment 2 Dan Williams 2013-05-16 11:38:19 EDT
Sorry for re-opening; one additional note.  The new helper talks to NM via a private dbus socket, so I get these AVCs which I failed to report before:

[167421.436171] type=1400 audit(1368718001.841:132): avc:  denied  { connectto } for  pid=9551 comm="nm-dhcp-helper" path="/run/NetworkManager/private-dhcp" scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
[167712.650632] type=1400 audit(1368718293.055:133): avc:  denied  { write } for  pid=9664 comm="nm-dhcp-helper" name="private-dhcp" dev="tmpfs" ino=2871306 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:NetworkManager_var_run_t:s0 tclass=sock_file

Now obviously NM is running in "unconfined_t" because I'm running a development copy directly from my source directory.  Are these AVCs only showing because I'm running that unconfined devel copy, or do we need to do something in the policy to allow nm-dhcp-helper to access /run/NetworkManager/private-dhcp?

Comment 3 Miroslav Grepl 2013-05-16 15:42:28 EDT
Yes, has been added.

commit 5552a51568c3305837922503124fb39002a5df36
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Thu May 16 13:53:39 2013 +0200

    Add networkmanager_stream_connect()
Comment 4 Fedora Update System 2013-05-29 10:20:37 EDT
selinux-policy-3.12.1-47.fc19 has been submitted as an update for Fedora 19.
Comment 5 Fedora Update System 2013-05-29 13:47:30 EDT
Package selinux-policy-3.12.1-47.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-47.fc19'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2013-05-29 23:34:33 EDT
selinux-policy-3.12.1-47.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.