On 03/25/2009 06:20 PM, Antonio Olivares wrote:
--- On Mon, 3/9/09, Antonio Olivares<olivares14031@xxxxxxxxx> wrote:
From: Antonio Olivares<olivares14031@xxxxxxxxx>
Subject: selinux stopping NetworkManager from doing its job.
To: fedora-selinux-list@xxxxxxxxxx
Cc: fedora-test-list@xxxxxxxxxx
Date: Monday, March 9, 2009, 4:31 PM
Dear fellow testers and selinux experts,
selinux is stopping NetworkManager from doing its job. To
get internet, I have to manually type # dhclient eth0
and get internet connection.
Summary:
SELinux is preventing dhclient (dhcpc_t) "read
write" unconfined_t.
Detailed Description:
SELinux denied access requested by dhclient. It is not
expected that this access
is required by dhclient and this access may signal an
intrusion attempt. It is
also possible that the specific version or configuration of
the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access
- see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)
Or you can disable
SELinux protection altogether. Disabling SELinux protection
is not recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context
unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
Target Context
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects socket [ unix_stream_socket ]
Source dhclient
Source Path /sbin/dhclient
Port<Unknown>
Host riohigh
Source RPM Packages dhclient-4.1.0-10.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.8-1.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name riohigh
Platform Linux riohigh
2.6.29-0.215.rc7.fc11.i586 #1 SMP
Sun Mar 8 23:25:31 EDT 2009
i686 athlon
Alert Count 6
First Seen Fri 06 Mar 2009 04:16:01 PM
CST
Last Seen Mon 09 Mar 2009 05:22:13 PM
CST
Local ID
a9c1d6de-334d-4f45-99bb-470f0f97e3ff
Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1236640933.104:39): avc:
denied { read write } for pid=3313
comm="dhclient" path="socket:[15009]"
dev=sockfs ino=15009
scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=unix_stream_socket
node=riohigh type=SYSCALL msg=audit(1236640933.104:39):
arch=40000003 syscall=11 success=yes exit=0 a0=85082b8
a1=8517f20 a2=8517f60 a3=8517f20 items=0 ppid=3265 pid=3313
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts1 ses=1 comm="dhclient"
exe="/sbin/dhclient"
subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null)
Guess it applies over here:
Summary:
SELinux is preventing NetworkManager (NetworkManager_t)
"read write"
unconfined_t.
Detailed Description:
SELinux denied access requested by NetworkManager. It is
not expected that this
access is required by NetworkManager and this access may
signal an intrusion
attempt. It is also possible that the specific version or
configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access
- see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)
Or you can disable
SELinux protection altogether. Disabling SELinux protection
is not recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context
unconfined_u:system_r:NetworkManager_t:s0
Target Context
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects socket [ unix_stream_socket ]
Source NetworkManager
Source Path /usr/sbin/NetworkManager
Port<Unknown>
Host riohigh
Source RPM Packages
NetworkManager-0.7.0.99-1.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.7-2.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name riohigh
Platform Linux riohigh
2.6.29-0.203.rc7.fc11.i586 #1 SMP
Wed Mar 4 18:03:29 EST 2009
i686 athlon
Alert Count 5
First Seen Mon 23 Feb 2009 07:23:54 AM
CST
Last Seen Fri 06 Mar 2009 04:15:00 PM
CST
Local ID
f192ed25-15af-43fd-aa2e-524cca16b88a
Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1236377700.684:236): avc:
denied { read write } for pid=14462
comm="NetworkManager"
path="socket:[26116]" dev=sockfs ino=26116
scontext=unconfined_u:system_r:NetworkManager_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1236377700.684:236): avc:
denied { read write } for pid=14462
comm="NetworkManager"
path="socket:[26116]" dev=sockfs ino=26116
scontext=unconfined_u:system_r:NetworkManager_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1236377700.684:236): avc:
denied { read write } for pid=14462
comm="NetworkManager"
path="socket:[26116]" dev=sockfs ino=26116
scontext=unconfined_u:system_r:NetworkManager_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=unix_stream_socket
node=riohigh type=SYSCALL msg=audit(1236377700.684:236):
arch=40000003 syscall=11 success=yes exit=0 a0=84f2ee0
a1=84f2e30 a2=84f2268 a3=84f2e30 items=0 ppid=14461
pid=14462 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts1 ses=10
comm="NetworkManager"
exe="/usr/sbin/NetworkManager"
subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null)
I do not get eth0 active upon starting up, since selinux
stops NetworkManager from getting IP automagically :(.
Regards,
Antonio
--
fedora-test-list mailing list
fedora-test-list@xxxxxxxxxx
To unsubscribe:
https://www.redhat.com/mailman/listinfo/fedora-test-list
I have used selinux=0 to troubleshoot this, and crontab now works(with selinux disabled), and also NetworkManager was not doing its job, I don't know what did it, but /etc/sysconfig/network-scripts/ifcfg-eth0 was modified and now it should work. Here's what I did:
checked that I could see what is in my crontab( now I don't get message that pam configuration), I wondered what was going on?
[olivares@riohigh ~]$ crontab -l
30 17 * * 1-5 ~/alarm&> /dev/null
30 21 * * 1-5 killall -9 /usr/bin/mplayer&> /dev/null
32 23 * * 1-5 /usr/bin/poweroff&> /dev/null
Good, one down, several more to go:
[olivares@riohigh ~]$ su -
Password:
[root@riohigh ~]# service NetworkManager stop
Stopping NetworkManager daemon: [ OK ]
[root@riohigh ~]# service NetworkManager start
Setting network parameters... [ OK ]
Starting NetworkManager daemon: [ OK ]
[root@riohigh ~]# cat /etc/sysconfig/
atd keyboard
auditd lm_sensors
authconfig modules/
bittorrent netconsole
bluetooth network
cbq/ networking/
clock network-scripts/
console/ nfs
cpuspeed nspluginwrapper
crond ntpd
crontab ntpdate
firstboot prelink
grub readonly-root
hsqldb rsyslog
httpd samba
hw-uuid saslauthd
i18n selinux
init sendmail
ip6tables smartmontools
ip6tables-config snmpd
iptables system-config-firewall
[root@riohigh ~]# cat /etc/sysconfig/net
netconsole network networking/ network-scripts/
[root@riohigh ~]# cat /etc/sysconfig/network
network networking/ network-scripts/
[root@riohigh ~]# cat /etc/sysconfig/network-scripts/
ifcfg-eth0 ifdown-sl ifup-post
ifcfg-lo ifdown-tunnel ifup-ppp
ifdown ifup ifup-routes
ifdown-bnep ifup-aliases ifup-sit
ifdown-eth ifup-bnep ifup-sl
ifdown-ippp ifup-eth ifup-tunnel
ifdown-ipsec ifup-ippp ifup-wireless
ifdown-ipv6 ifup-ipsec init.ipv6-global
ifdown-isdn ifup-ipv6 net.hotplug
ifdown-post ifup-ipx network-functions
ifdown-ppp ifup-isdn network-functions-ipv6
ifdown-routes ifup-plip
ifdown-sit ifup-plusb
was this
[root@riohigh ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
# VIA Technologies, Inc. VT6102 [Rhine-II]
DEVICE=eth0
HWADDR=00:50:2c:a2:23:28
ONBOOT=no
NM_CONTROLLED=
[root@riohigh ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth0
You have new mail in /var/spool/mail/root
I changed it to
[root@riohigh ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
# VIA Technologies, Inc. VT6102 [Rhine-II]
DEVICE=eth0
HWADDR=00:50:2c:a2:23:28
ONBOOT=yes
NM_CONTROLLED=yes
I will restart system and hope that all is well and report back and see if selinux automatically relabels everything by itself, normally this happens when I have used selinux=0 booting parameter. It has been a while since I have to start network manually and it should work by itself.
Regards,
Antonio
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You should just use enforcing=0 which will boot in permissive mode, then
you do not need to deal with relabeling.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
