Dear fellow testers and selinux experts,
selinux is stopping NetworkManager from doing its job. To get internet, I have to
manually type # dhclient eth0
and get internet connection.
Summary:
SELinux is preventing dhclient (dhcpc_t) "read write" unconfined_t.
Detailed Description:
SELinux denied access requested by dhclient. It is not expected that this access
is required by dhclient and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects socket [ unix_stream_socket ]
Source dhclient
Source Path /sbin/dhclient
Port <Unknown>
Host riohigh
Source RPM Packages dhclient-4.1.0-10.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.8-1.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name riohigh
Platform Linux riohigh 2.6.29-0.215.rc7.fc11.i586 #1 SMP
Sun Mar 8 23:25:31 EDT 2009 i686 athlon
Alert Count 6
First Seen Fri 06 Mar 2009 04:16:01 PM CST
Last Seen Mon 09 Mar 2009 05:22:13 PM CST
Local ID a9c1d6de-334d-4f45-99bb-470f0f97e3ff
Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1236640933.104:39): avc: denied { read write } for
pid=3313 comm="dhclient" path="socket:[15009]" dev=sockfs ino=15009
scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=SYSCALL msg=audit(1236640933.104:39): arch=40000003 syscall=11
success=yes exit=0 a0=85082b8 a1=8517f20 a2=8517f60 a3=8517f20 items=0 ppid=3265 pid=3313
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1
comm="dhclient" exe="/sbin/dhclient"
subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null)
Guess it applies over here:
Summary:
SELinux is preventing NetworkManager (NetworkManager_t) "read write"
unconfined_t.
Detailed Description:
SELinux denied access requested by NetworkManager. It is not expected that this
access is required by NetworkManager and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:system_r:NetworkManager_t:s0
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects socket [ unix_stream_socket ]
Source NetworkManager
Source Path /usr/sbin/NetworkManager
Port <Unknown>
Host riohigh
Source RPM Packages NetworkManager-0.7.0.99-1.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.7-2.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name riohigh
Platform Linux riohigh 2.6.29-0.203.rc7.fc11.i586 #1 SMP
Wed Mar 4 18:03:29 EST 2009 i686 athlon
Alert Count 5
First Seen Mon 23 Feb 2009 07:23:54 AM CST
Last Seen Fri 06 Mar 2009 04:15:00 PM CST
Local ID f192ed25-15af-43fd-aa2e-524cca16b88a
Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for
pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs
ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for
pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs
ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for
pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs
ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=SYSCALL msg=audit(1236377700.684:236): arch=40000003 syscall=11
success=yes exit=0 a0=84f2ee0 a1=84f2e30 a2=84f2268 a3=84f2e30 items=0 ppid=14461
pid=14462 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=10
comm="NetworkManager" exe="/usr/sbin/NetworkManager"
subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null)
I do not get eth0 active upon starting up, since selinux stops NetworkManager from
getting IP automagically :(.
Regards,
Antonio
I am not sure this is an SELinux issue. The errors you are showing
above are related to a leaked file descriptor, probably in konsole, when
you did a service networkmanager restart.
If you put the machine in permissive mode or set NetworkManager_t as
perissive does the network come up?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org
iEYEARECAAYFAkm2Z6kACgkQrlYvE4MpobM0/QCgi7e8hpTiMjF6owvgjl+z6fiv
1OwAoIyN2JwxXCINi5zAP+3G1KKc1G9c
=Evy9
-----END PGP SIGNATURE-----