selinux stopping NetworkManager from doing its job.

Daniel J Walsh dwalsh at redhat.com
Tue Mar 10 13:14:17 UTC 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Antonio Olivares wrote:
> Dear fellow testers and selinux experts,
> 
> selinux is stopping NetworkManager from doing its job.  To get internet, I have to manually type # dhclient eth0 
> and get internet connection.
> 
> 
> Summary:
> 
> SELinux is preventing dhclient (dhcpc_t) "read write" unconfined_t.
> 
> Detailed Description:
> 
> SELinux denied access requested by dhclient. It is not expected that this access
> is required by dhclient and this access may signal an intrusion attempt. It is
> also possible that the specific version or configuration of the application is
> causing it to require additional access.
> 
> Allowing Access:
> 
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> 
> Additional Information:
> 
> Source Context                unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
> Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
>                               023
> Target Objects                socket [ unix_stream_socket ]
> Source                        dhclient
> Source Path                   /sbin/dhclient
> Port                          <Unknown>
> Host                          riohigh
> Source RPM Packages           dhclient-4.1.0-10.fc11
> Target RPM Packages           
> Policy RPM                    selinux-policy-3.6.8-1.fc11
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall
> Host Name                     riohigh
> Platform                      Linux riohigh 2.6.29-0.215.rc7.fc11.i586 #1 SMP
>                               Sun Mar 8 23:25:31 EDT 2009 i686 athlon
> Alert Count                   6
> First Seen                    Fri 06 Mar 2009 04:16:01 PM CST
> Last Seen                     Mon 09 Mar 2009 05:22:13 PM CST
> Local ID                      a9c1d6de-334d-4f45-99bb-470f0f97e3ff
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> node=riohigh type=AVC msg=audit(1236640933.104:39): avc:  denied  { read write } for  pid=3313 comm="dhclient" path="socket:[15009]" dev=sockfs ino=15009 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
> 
> node=riohigh type=SYSCALL msg=audit(1236640933.104:39): arch=40000003 syscall=11 success=yes exit=0 a0=85082b8 a1=8517f20 a2=8517f60 a3=8517f20 items=0 ppid=3265 pid=3313 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="dhclient" exe="/sbin/dhclient" subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null)
> 
> 
> Guess it applies over here:
> 
> 
> Summary:
> 
> SELinux is preventing NetworkManager (NetworkManager_t) "read write"
> unconfined_t.
> 
> Detailed Description:
> 
> SELinux denied access requested by NetworkManager. It is not expected that this
> access is required by NetworkManager and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration of the
> application is causing it to require additional access.
> 
> Allowing Access:
> 
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> 
> Additional Information:
> 
> Source Context                unconfined_u:system_r:NetworkManager_t:s0
> Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
>                               023
> Target Objects                socket [ unix_stream_socket ]
> Source                        NetworkManager
> Source Path                   /usr/sbin/NetworkManager
> Port                          <Unknown>
> Host                          riohigh
> Source RPM Packages           NetworkManager-0.7.0.99-1.fc11
> Target RPM Packages           
> Policy RPM                    selinux-policy-3.6.7-2.fc11
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall
> Host Name                     riohigh
> Platform                      Linux riohigh 2.6.29-0.203.rc7.fc11.i586 #1 SMP
>                               Wed Mar 4 18:03:29 EST 2009 i686 athlon
> Alert Count                   5
> First Seen                    Mon 23 Feb 2009 07:23:54 AM CST
> Last Seen                     Fri 06 Mar 2009 04:15:00 PM CST
> Local ID                      f192ed25-15af-43fd-aa2e-524cca16b88a
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> node=riohigh type=AVC msg=audit(1236377700.684:236): avc:  denied  { read write } for  pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
> 
> node=riohigh type=AVC msg=audit(1236377700.684:236): avc:  denied  { read write } for  pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
> 
> node=riohigh type=AVC msg=audit(1236377700.684:236): avc:  denied  { read write } for  pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
> 
> node=riohigh type=SYSCALL msg=audit(1236377700.684:236): arch=40000003 syscall=11 success=yes exit=0 a0=84f2ee0 a1=84f2e30 a2=84f2268 a3=84f2e30 items=0 ppid=14461 pid=14462 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=10 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null)
> 
> 
> 
> 
> I do not get eth0 active upon starting up, since selinux stops NetworkManager from getting IP automagically :(. 
> 
> Regards,
> 
> 
> Antonio 
> 
> 
> 
>       
> 
I am not sure this is an SELinux issue.  The errors you are showing
above are related to a leaked file descriptor, probably in konsole, when
you did a service networkmanager restart.

If you put the machine in permissive mode or set NetworkManager_t as
perissive does the network come up?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkm2Z6kACgkQrlYvE4MpobM0/QCgi7e8hpTiMjF6owvgjl+z6fiv
1OwAoIyN2JwxXCINi5zAP+3G1KKc1G9c
=Evy9
-----END PGP SIGNATURE-----

More information about the fedora-test-list mailing list