Bug 987629 - SELinux is preventing /usr/sbin/NetworkManager from 'read' accesses on the lnk_file .#Red Hat openvpn.
SELinux is preventing /usr/sbin/NetworkManager from 'read' accesses on the ln...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
19
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
abrt_hash:cb230b00400c0837506be24e76c...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-23 15:20 EDT by Eric Blake
Modified: 2013-07-26 19:07 EDT (History)
6 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-66.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-07-26 19:07:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Eric Blake 2013-07-23 15:20:27 EDT
Description of problem:
I was editing an existing network manager openvpn file by hand with emacs, which creates the .#name backup during the duration of the edit.  I don't think this is a SELinux bug, but rather a bug in NetworkManager for trying to treat editor temp files as though they also contain network setups.
SELinux is preventing /usr/sbin/NetworkManager from 'read' accesses on the lnk_file .#Red Hat openvpn.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that NetworkManager should be allowed read access on the .#Red Hat openvpn lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep NetworkManager /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                unconfined_u:object_r:NetworkManager_etc_rw_t:s0
Target Objects                .#Red Hat openvpn [ lnk_file ]
Source                        NetworkManager
Source Path                   /usr/sbin/NetworkManager
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           NetworkManager-0.9.8.2-8.git20130709.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-65.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.9.9-302.fc19.x86_64 #1 SMP Sat
                              Jul 6 13:41:07 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-07-23 13:15:40 MDT
Last Seen                     2013-07-23 13:15:40 MDT
Local ID                      cf07764d-74f4-487e-8c55-76790f63804e

Raw Audit Messages
type=AVC msg=audit(1374606940.958:3052): avc:  denied  { read } for  pid=738 comm="NetworkManager" name=2E2352656420486174206F70656E76706E dev="dm-2" ino=527723 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:object_r:NetworkManager_etc_rw_t:s0 tclass=lnk_file


type=SYSCALL msg=audit(1374606940.958:3052): arch=x86_64 syscall=stat success=no exit=EACCES a0=7f2b2bbae820 a1=7fff486d0f10 a2=7fff486d0f10 a3=4000 items=0 ppid=1 pid=738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)

Hash: NetworkManager,NetworkManager_t,NetworkManager_etc_rw_t,lnk_file,read

Additional info:
reporter:       libreport-2.1.5
hashmarkername: setroubleshoot
kernel:         3.9.9-302.fc19.x86_64
type:           libreport
Comment 1 Eric Blake 2013-07-23 15:24:54 EDT
The AVC popped up in the middle of the editing session that I started with:
$ emacs -nw /etc/NetworkManager/system-connections/Red\ Hat\ openvpn
Comment 2 Jirka Klimes 2013-07-24 06:47:28 EDT
Pushed a change to ignore files starting with ".#"
d60dae255819ba052799f972d54ec1f28649ea27

Note that in future the NM won't be monitoring connection files, rather it would read them on explicit request.
http://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/man/NetworkManager.conf.xml#n100

On the other hand, this is a SELinux bug, because it prevents 'read' accesses on the lnk_file. So if the valid configuration file was a link, SELinux would prevent reading the file.
Comment 3 Miroslav Grepl 2013-07-24 08:40:17 EDT

commit 2a5b21a45572dc89cbf92e925fcb7193025c5a91
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Wed Jul 24 14:39:52 2013 +0200

    Allow NM to read lnk files with NetworkManager_etc_rw_t
Comment 4 Fedora Update System 2013-07-24 10:15:31 EDT
selinux-policy-3.12.1-66.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-66.fc19
Comment 5 Fedora Update System 2013-07-24 20:36:30 EDT
Package selinux-policy-3.12.1-66.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-66.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-13543/selinux-policy-3.12.1-66.fc19
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2013-07-26 19:07:16 EDT
selinux-policy-3.12.1-66.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.