selinux stopping NetworkManager from doing its job.
Daniel J Walsh
dwalsh at redhat.com
Thu Mar 26 14:32:21 UTC 2009
On 03/25/2009 06:20 PM, Antonio Olivares wrote:
>
>
>
> --- On Mon, 3/9/09, Antonio Olivares<olivares14031 at yahoo.com> wrote:
>
>> From: Antonio Olivares<olivares14031 at yahoo.com>
>> Subject: selinux stopping NetworkManager from doing its job.
>> To: fedora-selinux-list at redhat.com
>> Cc: fedora-test-list at redhat.com
>> Date: Monday, March 9, 2009, 4:31 PM
>> Dear fellow testers and selinux experts,
>>
>> selinux is stopping NetworkManager from doing its job. To
>> get internet, I have to manually type # dhclient eth0
>> and get internet connection.
>>
>>
>> Summary:
>>
>> SELinux is preventing dhclient (dhcpc_t) "read
>> write" unconfined_t.
>>
>> Detailed Description:
>>
>> SELinux denied access requested by dhclient. It is not
>> expected that this access
>> is required by dhclient and this access may signal an
>> intrusion attempt. It is
>> also possible that the specific version or configuration of
>> the application is
>> causing it to require additional access.
>>
>> Allowing Access:
>>
>> You can generate a local policy module to allow this access
>> - see FAQ
>> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)
>> Or you can disable
>> SELinux protection altogether. Disabling SELinux protection
>> is not recommended.
>> Please file a bug report
>> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>> against this package.
>>
>> Additional Information:
>>
>> Source Context
>> unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
>> Target Context
>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
>> 023
>> Target Objects socket [ unix_stream_socket ]
>> Source dhclient
>> Source Path /sbin/dhclient
>> Port<Unknown>
>> Host riohigh
>> Source RPM Packages dhclient-4.1.0-10.fc11
>> Target RPM Packages
>> Policy RPM selinux-policy-3.6.8-1.fc11
>> Selinux Enabled True
>> Policy Type targeted
>> MLS Enabled True
>> Enforcing Mode Enforcing
>> Plugin Name catchall
>> Host Name riohigh
>> Platform Linux riohigh
>> 2.6.29-0.215.rc7.fc11.i586 #1 SMP
>> Sun Mar 8 23:25:31 EDT 2009
>> i686 athlon
>> Alert Count 6
>> First Seen Fri 06 Mar 2009 04:16:01 PM
>> CST
>> Last Seen Mon 09 Mar 2009 05:22:13 PM
>> CST
>> Local ID
>> a9c1d6de-334d-4f45-99bb-470f0f97e3ff
>> Line Numbers
>>
>> Raw Audit Messages
>>
>> node=riohigh type=AVC msg=audit(1236640933.104:39): avc:
>> denied { read write } for pid=3313
>> comm="dhclient" path="socket:[15009]"
>> dev=sockfs ino=15009
>> scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>> tclass=unix_stream_socket
>>
>> node=riohigh type=SYSCALL msg=audit(1236640933.104:39):
>> arch=40000003 syscall=11 success=yes exit=0 a0=85082b8
>> a1=8517f20 a2=8517f60 a3=8517f20 items=0 ppid=3265 pid=3313
>> auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>> fsgid=0 tty=pts1 ses=1 comm="dhclient"
>> exe="/sbin/dhclient"
>> subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null)
>>
>>
>> Guess it applies over here:
>>
>>
>> Summary:
>>
>> SELinux is preventing NetworkManager (NetworkManager_t)
>> "read write"
>> unconfined_t.
>>
>> Detailed Description:
>>
>> SELinux denied access requested by NetworkManager. It is
>> not expected that this
>> access is required by NetworkManager and this access may
>> signal an intrusion
>> attempt. It is also possible that the specific version or
>> configuration of the
>> application is causing it to require additional access.
>>
>> Allowing Access:
>>
>> You can generate a local policy module to allow this access
>> - see FAQ
>> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)
>> Or you can disable
>> SELinux protection altogether. Disabling SELinux protection
>> is not recommended.
>> Please file a bug report
>> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>> against this package.
>>
>> Additional Information:
>>
>> Source Context
>> unconfined_u:system_r:NetworkManager_t:s0
>> Target Context
>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
>> 023
>> Target Objects socket [ unix_stream_socket ]
>> Source NetworkManager
>> Source Path /usr/sbin/NetworkManager
>> Port<Unknown>
>> Host riohigh
>> Source RPM Packages
>> NetworkManager-0.7.0.99-1.fc11
>> Target RPM Packages
>> Policy RPM selinux-policy-3.6.7-2.fc11
>> Selinux Enabled True
>> Policy Type targeted
>> MLS Enabled True
>> Enforcing Mode Enforcing
>> Plugin Name catchall
>> Host Name riohigh
>> Platform Linux riohigh
>> 2.6.29-0.203.rc7.fc11.i586 #1 SMP
>> Wed Mar 4 18:03:29 EST 2009
>> i686 athlon
>> Alert Count 5
>> First Seen Mon 23 Feb 2009 07:23:54 AM
>> CST
>> Last Seen Fri 06 Mar 2009 04:15:00 PM
>> CST
>> Local ID
>> f192ed25-15af-43fd-aa2e-524cca16b88a
>> Line Numbers
>>
>> Raw Audit Messages
>>
>> node=riohigh type=AVC msg=audit(1236377700.684:236): avc:
>> denied { read write } for pid=14462
>> comm="NetworkManager"
>> path="socket:[26116]" dev=sockfs ino=26116
>> scontext=unconfined_u:system_r:NetworkManager_t:s0
>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>> tclass=unix_stream_socket
>>
>> node=riohigh type=AVC msg=audit(1236377700.684:236): avc:
>> denied { read write } for pid=14462
>> comm="NetworkManager"
>> path="socket:[26116]" dev=sockfs ino=26116
>> scontext=unconfined_u:system_r:NetworkManager_t:s0
>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>> tclass=unix_stream_socket
>>
>> node=riohigh type=AVC msg=audit(1236377700.684:236): avc:
>> denied { read write } for pid=14462
>> comm="NetworkManager"
>> path="socket:[26116]" dev=sockfs ino=26116
>> scontext=unconfined_u:system_r:NetworkManager_t:s0
>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>> tclass=unix_stream_socket
>>
>> node=riohigh type=SYSCALL msg=audit(1236377700.684:236):
>> arch=40000003 syscall=11 success=yes exit=0 a0=84f2ee0
>> a1=84f2e30 a2=84f2268 a3=84f2e30 items=0 ppid=14461
>> pid=14462 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> sgid=0 fsgid=0 tty=pts1 ses=10
>> comm="NetworkManager"
>> exe="/usr/sbin/NetworkManager"
>> subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null)
>>
>>
>>
>>
>> I do not get eth0 active upon starting up, since selinux
>> stops NetworkManager from getting IP automagically :(.
>>
>> Regards,
>>
>>
>> Antonio
>>
>>
>>
>>
>>
>> --
>> fedora-test-list mailing list
>> fedora-test-list at redhat.com
>> To unsubscribe:
>> https://www.redhat.com/mailman/listinfo/fedora-test-list
>
> I have used selinux=0 to troubleshoot this, and crontab now works(with selinux disabled), and also NetworkManager was not doing its job, I don't know what did it, but /etc/sysconfig/network-scripts/ifcfg-eth0 was modified and now it should work. Here's what I did:
>
> checked that I could see what is in my crontab( now I don't get message that pam configuration), I wondered what was going on?
>
> [olivares at riohigh ~]$ crontab -l
> 30 17 * * 1-5 ~/alarm&> /dev/null
> 30 21 * * 1-5 killall -9 /usr/bin/mplayer&> /dev/null
> 32 23 * * 1-5 /usr/bin/poweroff&> /dev/null
>
> Good, one down, several more to go:
>
> [olivares at riohigh ~]$ su -
> Password:
> [root at riohigh ~]# service NetworkManager stop
> Stopping NetworkManager daemon: [ OK ]
> [root at riohigh ~]# service NetworkManager start
> Setting network parameters... [ OK ]
> Starting NetworkManager daemon: [ OK ]
> [root at riohigh ~]# cat /etc/sysconfig/
> atd keyboard
> auditd lm_sensors
> authconfig modules/
> bittorrent netconsole
> bluetooth network
> cbq/ networking/
> clock network-scripts/
> console/ nfs
> cpuspeed nspluginwrapper
> crond ntpd
> crontab ntpdate
> firstboot prelink
> grub readonly-root
> hsqldb rsyslog
> httpd samba
> hw-uuid saslauthd
> i18n selinux
> init sendmail
> ip6tables smartmontools
> ip6tables-config snmpd
> iptables system-config-firewall
> [root at riohigh ~]# cat /etc/sysconfig/net
> netconsole network networking/ network-scripts/
> [root at riohigh ~]# cat /etc/sysconfig/network
> network networking/ network-scripts/
> [root at riohigh ~]# cat /etc/sysconfig/network-scripts/
> ifcfg-eth0 ifdown-sl ifup-post
> ifcfg-lo ifdown-tunnel ifup-ppp
> ifdown ifup ifup-routes
> ifdown-bnep ifup-aliases ifup-sit
> ifdown-eth ifup-bnep ifup-sl
> ifdown-ippp ifup-eth ifup-tunnel
> ifdown-ipsec ifup-ippp ifup-wireless
> ifdown-ipv6 ifup-ipsec init.ipv6-global
> ifdown-isdn ifup-ipv6 net.hotplug
> ifdown-post ifup-ipx network-functions
> ifdown-ppp ifup-isdn network-functions-ipv6
> ifdown-routes ifup-plip
> ifdown-sit ifup-plusb
>
> was this
>
> [root at riohigh ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
> # VIA Technologies, Inc. VT6102 [Rhine-II]
> DEVICE=eth0
> HWADDR=00:50:2c:a2:23:28
> ONBOOT=no
> NM_CONTROLLED=
> [root at riohigh ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth0
> You have new mail in /var/spool/mail/root
>
> I changed it to
>
> [root at riohigh ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
> # VIA Technologies, Inc. VT6102 [Rhine-II]
> DEVICE=eth0
> HWADDR=00:50:2c:a2:23:28
> ONBOOT=yes
> NM_CONTROLLED=yes
>
>
> I will restart system and hope that all is well and report back and see if selinux automatically relabels everything by itself, normally this happens when I have used selinux=0 booting parameter. It has been a while since I have to start network manually and it should work by itself.
>
> Regards,
>
> Antonio
>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You should just use enforcing=0 which will boot in permissive mode, then
you do not need to deal with relabeling.
More information about the fedora-test-list
mailing list