selinux stopping NetworkManager from doing its job.
Daniel J Walsh
dwalsh at redhat.com
Tue Mar 10 13:14:17 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Antonio Olivares wrote:
> Dear fellow testers and selinux experts,
>
> selinux is stopping NetworkManager from doing its job. To get internet, I have to manually type # dhclient eth0
> and get internet connection.
>
>
> Summary:
>
> SELinux is preventing dhclient (dhcpc_t) "read write" unconfined_t.
>
> Detailed Description:
>
> SELinux denied access requested by dhclient. It is not expected that this access
> is required by dhclient and this access may signal an intrusion attempt. It is
> also possible that the specific version or configuration of the application is
> causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
> Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
> 023
> Target Objects socket [ unix_stream_socket ]
> Source dhclient
> Source Path /sbin/dhclient
> Port <Unknown>
> Host riohigh
> Source RPM Packages dhclient-4.1.0-10.fc11
> Target RPM Packages
> Policy RPM selinux-policy-3.6.8-1.fc11
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name riohigh
> Platform Linux riohigh 2.6.29-0.215.rc7.fc11.i586 #1 SMP
> Sun Mar 8 23:25:31 EDT 2009 i686 athlon
> Alert Count 6
> First Seen Fri 06 Mar 2009 04:16:01 PM CST
> Last Seen Mon 09 Mar 2009 05:22:13 PM CST
> Local ID a9c1d6de-334d-4f45-99bb-470f0f97e3ff
> Line Numbers
>
> Raw Audit Messages
>
> node=riohigh type=AVC msg=audit(1236640933.104:39): avc: denied { read write } for pid=3313 comm="dhclient" path="socket:[15009]" dev=sockfs ino=15009 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=riohigh type=SYSCALL msg=audit(1236640933.104:39): arch=40000003 syscall=11 success=yes exit=0 a0=85082b8 a1=8517f20 a2=8517f60 a3=8517f20 items=0 ppid=3265 pid=3313 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="dhclient" exe="/sbin/dhclient" subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null)
>
>
> Guess it applies over here:
>
>
> Summary:
>
> SELinux is preventing NetworkManager (NetworkManager_t) "read write"
> unconfined_t.
>
> Detailed Description:
>
> SELinux denied access requested by NetworkManager. It is not expected that this
> access is required by NetworkManager and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration of the
> application is causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context unconfined_u:system_r:NetworkManager_t:s0
> Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
> 023
> Target Objects socket [ unix_stream_socket ]
> Source NetworkManager
> Source Path /usr/sbin/NetworkManager
> Port <Unknown>
> Host riohigh
> Source RPM Packages NetworkManager-0.7.0.99-1.fc11
> Target RPM Packages
> Policy RPM selinux-policy-3.6.7-2.fc11
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name riohigh
> Platform Linux riohigh 2.6.29-0.203.rc7.fc11.i586 #1 SMP
> Wed Mar 4 18:03:29 EST 2009 i686 athlon
> Alert Count 5
> First Seen Mon 23 Feb 2009 07:23:54 AM CST
> Last Seen Fri 06 Mar 2009 04:15:00 PM CST
> Local ID f192ed25-15af-43fd-aa2e-524cca16b88a
> Line Numbers
>
> Raw Audit Messages
>
> node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
>
> node=riohigh type=SYSCALL msg=audit(1236377700.684:236): arch=40000003 syscall=11 success=yes exit=0 a0=84f2ee0 a1=84f2e30 a2=84f2268 a3=84f2e30 items=0 ppid=14461 pid=14462 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=10 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null)
>
>
>
>
> I do not get eth0 active upon starting up, since selinux stops NetworkManager from getting IP automagically :(.
>
> Regards,
>
>
> Antonio
>
>
>
>
>
I am not sure this is an SELinux issue. The errors you are showing
above are related to a leaked file descriptor, probably in konsole, when
you did a service networkmanager restart.
If you put the machine in permissive mode or set NetworkManager_t as
perissive does the network come up?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkm2Z6kACgkQrlYvE4MpobM0/QCgi7e8hpTiMjF6owvgjl+z6fiv
1OwAoIyN2JwxXCINi5zAP+3G1KKc1G9c
=Evy9
-----END PGP SIGNATURE-----
More information about the fedora-test-list
mailing list