Re: selinux stopping NetworkManager from doing its job.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 03/25/2009 06:20 PM, Antonio Olivares wrote:



--- On Mon, 3/9/09, Antonio Olivares<olivares14031@xxxxxxxxx>  wrote:

From: Antonio Olivares<olivares14031@xxxxxxxxx>
Subject: selinux stopping NetworkManager from doing its job.
To: fedora-selinux-list@xxxxxxxxxx
Cc: fedora-test-list@xxxxxxxxxx
Date: Monday, March 9, 2009, 4:31 PM
Dear fellow testers and selinux experts,

selinux is stopping NetworkManager from doing its job.  To
get internet, I have to manually type # dhclient eth0
and get internet connection.


Summary:

SELinux is preventing dhclient (dhcpc_t) "read
write" unconfined_t.

Detailed Description:

SELinux denied access requested by dhclient. It is not
expected that this access
is required by dhclient and this access may signal an
intrusion attempt. It is
also possible that the specific version or configuration of
the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access
- see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)
Or you can disable
SELinux protection altogether. Disabling SELinux protection
is not recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context
unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
Target Context
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                               023
Target Objects                socket [ unix_stream_socket ]
Source                        dhclient
Source Path                   /sbin/dhclient
Port<Unknown>
Host                          riohigh
Source RPM Packages           dhclient-4.1.0-10.fc11
Target RPM Packages
Policy RPM                    selinux-policy-3.6.8-1.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     riohigh
Platform                      Linux riohigh
2.6.29-0.215.rc7.fc11.i586 #1 SMP
                               Sun Mar 8 23:25:31 EDT 2009
i686 athlon
Alert Count                   6
First Seen                    Fri 06 Mar 2009 04:16:01 PM
CST
Last Seen                     Mon 09 Mar 2009 05:22:13 PM
CST
Local ID
a9c1d6de-334d-4f45-99bb-470f0f97e3ff
Line Numbers

Raw Audit Messages

node=riohigh type=AVC msg=audit(1236640933.104:39): avc:
denied  { read write } for  pid=3313
comm="dhclient" path="socket:[15009]"
dev=sockfs ino=15009
scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=unix_stream_socket

node=riohigh type=SYSCALL msg=audit(1236640933.104:39):
arch=40000003 syscall=11 success=yes exit=0 a0=85082b8
a1=8517f20 a2=8517f60 a3=8517f20 items=0 ppid=3265 pid=3313
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts1 ses=1 comm="dhclient"
exe="/sbin/dhclient"
subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null)


Guess it applies over here:


Summary:

SELinux is preventing NetworkManager (NetworkManager_t)
"read write"
unconfined_t.

Detailed Description:

SELinux denied access requested by NetworkManager. It is
not expected that this
access is required by NetworkManager and this access may
signal an intrusion
attempt. It is also possible that the specific version or
configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access
- see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)
Or you can disable
SELinux protection altogether. Disabling SELinux protection
is not recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context
unconfined_u:system_r:NetworkManager_t:s0
Target Context
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                               023
Target Objects                socket [ unix_stream_socket ]
Source                        NetworkManager
Source Path                   /usr/sbin/NetworkManager
Port<Unknown>
Host                          riohigh
Source RPM Packages
NetworkManager-0.7.0.99-1.fc11
Target RPM Packages
Policy RPM                    selinux-policy-3.6.7-2.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     riohigh
Platform                      Linux riohigh
2.6.29-0.203.rc7.fc11.i586 #1 SMP
                               Wed Mar 4 18:03:29 EST 2009
i686 athlon
Alert Count                   5
First Seen                    Mon 23 Feb 2009 07:23:54 AM
CST
Last Seen                     Fri 06 Mar 2009 04:15:00 PM
CST
Local ID
f192ed25-15af-43fd-aa2e-524cca16b88a
Line Numbers

Raw Audit Messages

node=riohigh type=AVC msg=audit(1236377700.684:236): avc:
denied  { read write } for  pid=14462
comm="NetworkManager"
path="socket:[26116]" dev=sockfs ino=26116
scontext=unconfined_u:system_r:NetworkManager_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=unix_stream_socket

node=riohigh type=AVC msg=audit(1236377700.684:236): avc:
denied  { read write } for  pid=14462
comm="NetworkManager"
path="socket:[26116]" dev=sockfs ino=26116
scontext=unconfined_u:system_r:NetworkManager_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=unix_stream_socket

node=riohigh type=AVC msg=audit(1236377700.684:236): avc:
denied  { read write } for  pid=14462
comm="NetworkManager"
path="socket:[26116]" dev=sockfs ino=26116
scontext=unconfined_u:system_r:NetworkManager_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=unix_stream_socket

node=riohigh type=SYSCALL msg=audit(1236377700.684:236):
arch=40000003 syscall=11 success=yes exit=0 a0=84f2ee0
a1=84f2e30 a2=84f2268 a3=84f2e30 items=0 ppid=14461
pid=14462 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts1 ses=10
comm="NetworkManager"
exe="/usr/sbin/NetworkManager"
subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null)




I do not get eth0 active upon starting up, since selinux
stops NetworkManager from getting IP automagically :(.

Regards,


Antonio





--
fedora-test-list mailing list
fedora-test-list@xxxxxxxxxx
To unsubscribe:
https://www.redhat.com/mailman/listinfo/fedora-test-list

I have used selinux=0 to troubleshoot this, and crontab now works(with selinux disabled), and also NetworkManager was not doing its job, I don't know what did it, but /etc/sysconfig/network-scripts/ifcfg-eth0 was modified and now it should work.  Here's what I did:

checked that I could see what is in my crontab( now I don't get message that pam configuration), I wondered what was going on?

[olivares@riohigh ~]$ crontab -l
30 17 * * 1-5 ~/alarm&>  /dev/null
30 21 * * 1-5 killall -9 /usr/bin/mplayer&>  /dev/null
32 23 * * 1-5 /usr/bin/poweroff&>  /dev/null

Good, one down, several more to go:

[olivares@riohigh ~]$ su -
Password:
[root@riohigh ~]# service NetworkManager stop
Stopping NetworkManager daemon:                            [  OK  ]
[root@riohigh ~]# service NetworkManager start
Setting network parameters...                              [  OK  ]
Starting NetworkManager daemon:                            [  OK  ]
[root@riohigh ~]# cat /etc/sysconfig/
atd                          keyboard
auditd                       lm_sensors
authconfig                   modules/
bittorrent                   netconsole
bluetooth                    network
cbq/                         networking/
clock                        network-scripts/
console/                     nfs
cpuspeed                     nspluginwrapper
crond                        ntpd
crontab                      ntpdate
firstboot                    prelink
grub                         readonly-root
hsqldb                       rsyslog
httpd                        samba
hw-uuid                      saslauthd
i18n                         selinux
init                         sendmail
ip6tables                    smartmontools
ip6tables-config             snmpd
iptables                     system-config-firewall
[root@riohigh ~]# cat /etc/sysconfig/net
netconsole       network          networking/      network-scripts/
[root@riohigh ~]# cat /etc/sysconfig/network
network          networking/      network-scripts/
[root@riohigh ~]# cat /etc/sysconfig/network-scripts/
ifcfg-eth0              ifdown-sl               ifup-post
ifcfg-lo                ifdown-tunnel           ifup-ppp
ifdown                  ifup                    ifup-routes
ifdown-bnep             ifup-aliases            ifup-sit
ifdown-eth              ifup-bnep               ifup-sl
ifdown-ippp             ifup-eth                ifup-tunnel
ifdown-ipsec            ifup-ippp               ifup-wireless
ifdown-ipv6             ifup-ipsec              init.ipv6-global
ifdown-isdn             ifup-ipv6               net.hotplug
ifdown-post             ifup-ipx                network-functions
ifdown-ppp              ifup-isdn               network-functions-ipv6
ifdown-routes           ifup-plip
ifdown-sit              ifup-plusb

was this

[root@riohigh ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
# VIA Technologies, Inc. VT6102 [Rhine-II]
DEVICE=eth0
HWADDR=00:50:2c:a2:23:28
ONBOOT=no
NM_CONTROLLED=
[root@riohigh ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth0
You have new mail in /var/spool/mail/root

I changed it to

[root@riohigh ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
# VIA Technologies, Inc. VT6102 [Rhine-II]
DEVICE=eth0
HWADDR=00:50:2c:a2:23:28
ONBOOT=yes
NM_CONTROLLED=yes


I will restart system and hope that all is well and report back and see if selinux automatically relabels everything by itself, normally this happens when I have used selinux=0 booting parameter.  It has been a while since I have to start network manually and it should work by itself.

Regards,

Antonio




--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You should just use enforcing=0 which will boot in permissive mode, then you do not need to deal with relabeling.

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux