Bug 988330 - Need policy for OpenLMI-Networking
Need policy for OpenLMI-Networking
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
Depends On: 909886
Blocks: 988353
  Show dependency treegraph
Reported: 2013-07-25 06:28 EDT by Radek Novacek
Modified: 2016-11-30 19:31 EST (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-69.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 988353 (view as bug list)
Last Closed: 2013-08-04 18:59:52 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
ausearch -m avc -ts 12:16 (37.27 KB, text/plain)
2013-07-25 06:28 EDT, Radek Novacek
no flags Details

  None (edit)
Description Radek Novacek 2013-07-25 06:28:37 EDT
Created attachment 778192 [details]
ausearch -m avc -ts 12:16

OpenLMI-Networking provider needs a policy. This is similar request as bz979037 and bz983422 and bz987951.

Network provider manages network devices using NetworkManager via D-Bus.

Audit messages are attached.

Result of `ausearch -m avc -ts 12:16 | audit2allow`, with my comments:

#============= NetworkManager_t ==============
allow NetworkManager_t dhcpc_t:process { siginh noatsecure rlimitinh };
# ^^^ this doesn't seems to be related

#============= firewalld_t ==============
allow firewalld_t iptables_t:process { siginh noatsecure rlimitinh };
# ^^^ this doesn't seems to be related

#============= pegasus_openlmi_networking_t ==============
allow pegasus_openlmi_networking_t passwd_file_t:file { read getattr open };
allow pegasus_openlmi_networking_t pegasus_data_t:dir write;
allow pegasus_openlmi_networking_t proc_net_t:file { read getattr open };
allow pegasus_openlmi_networking_t self:capability { setuid net_admin setgid };
allow pegasus_openlmi_networking_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
allow pegasus_openlmi_networking_t self:udp_socket { create connect getattr };
allow pegasus_openlmi_networking_t sysfs_t:file { read write getattr open };
allow pegasus_openlmi_networking_t sysfs_t:lnk_file read;
allow pegasus_openlmi_networking_t system_dbusd_t:unix_stream_socket connectto;
allow pegasus_openlmi_networking_t system_dbusd_var_run_t:dir search;
allow pegasus_openlmi_networking_t system_dbusd_var_run_t:sock_file write;

#!!!! This avc can be allowed using the boolean 'global_ssp'
allow pegasus_openlmi_networking_t urandom_device_t:chr_file { read open };

#============= pegasus_t ==============
allow pegasus_t chkpwd_t:process { siginh noatsecure rlimitinh };
allow pegasus_t pegasus_openlmi_networking_t:process { siginh noatsecure rlimitinh };

Please check if the permission is reasonable for networking-handling provider. 
What the provider does:
* D-Bus communication with NetworkManager
* reading /proc/net/dev
* reading /sys/class/net/*/flags
* generating UUIDs with libuuid
* communication with pegasus (same for all providers)
Comment 1 Miroslav Grepl 2013-07-26 04:37:38 EDT
commit 43e08bda258a3c7a1834c467c759a57002ea2d17
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Fri Jul 26 09:38:11 2013 +0200

    Add support for cmpiLMI_Networking-cimprovagt
Comment 2 Fedora Update System 2013-08-02 09:29:26 EDT
selinux-policy-3.12.1-69.fc19 has been submitted as an update for Fedora 19.
Comment 3 Fedora Update System 2013-08-02 17:54:57 EDT
Package selinux-policy-3.12.1-69.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-69.fc19'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
Comment 4 Fedora Update System 2013-08-04 18:59:52 EDT
selinux-policy-3.12.1-69.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.