Dear fellow testers and selinux experts,
selinux is stopping NetworkManager from doing its job. To get internet, I have to manually type # dhclient eth0 and get internet connection.
Summary:
SELinux is preventing dhclient (dhcpc_t) "read write" unconfined_t.
Detailed Description:
SELinux denied access requested by dhclient. It is not expected that this access is required by dhclient and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects socket [ unix_stream_socket ] Source dhclient Source Path /sbin/dhclient Port <Unknown> Host riohigh Source RPM Packages dhclient-4.1.0-10.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.8-1.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name riohigh Platform Linux riohigh 2.6.29-0.215.rc7.fc11.i586 #1 SMP Sun Mar 8 23:25:31 EDT 2009 i686 athlon Alert Count 6 First Seen Fri 06 Mar 2009 04:16:01 PM CST Last Seen Mon 09 Mar 2009 05:22:13 PM CST Local ID a9c1d6de-334d-4f45-99bb-470f0f97e3ff Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1236640933.104:39): avc: denied { read write } for pid=3313 comm="dhclient" path="socket:[15009]" dev=sockfs ino=15009 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=SYSCALL msg=audit(1236640933.104:39): arch=40000003 syscall=11 success=yes exit=0 a0=85082b8 a1=8517f20 a2=8517f60 a3=8517f20 items=0 ppid=3265 pid=3313 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="dhclient" exe="/sbin/dhclient" subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null)
Guess it applies over here:
Summary:
SELinux is preventing NetworkManager (NetworkManager_t) "read write" unconfined_t.
Detailed Description:
SELinux denied access requested by NetworkManager. It is not expected that this access is required by NetworkManager and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context unconfined_u:system_r:NetworkManager_t:s0 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects socket [ unix_stream_socket ] Source NetworkManager Source Path /usr/sbin/NetworkManager Port <Unknown> Host riohigh Source RPM Packages NetworkManager-0.7.0.99-1.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.7-2.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name riohigh Platform Linux riohigh 2.6.29-0.203.rc7.fc11.i586 #1 SMP Wed Mar 4 18:03:29 EST 2009 i686 athlon Alert Count 5 First Seen Mon 23 Feb 2009 07:23:54 AM CST Last Seen Fri 06 Mar 2009 04:15:00 PM CST Local ID f192ed25-15af-43fd-aa2e-524cca16b88a Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=SYSCALL msg=audit(1236377700.684:236): arch=40000003 syscall=11 success=yes exit=0 a0=84f2ee0 a1=84f2e30 a2=84f2268 a3=84f2e30 items=0 ppid=14461 pid=14462 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=10 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null)
I do not get eth0 active upon starting up, since selinux stops NetworkManager from getting IP automagically :(.
Regards,
Antonio
Antonio Olivares wrote:
Dear fellow testers and selinux experts,
selinux is stopping NetworkManager from doing its job. To get internet, I have to manually type # dhclient eth0 and get internet connection.
See also: https://bugzilla.redhat.com/show_bug.cgi?id=489422
Currently being worked on in #fedora-devel on irc.freenode.net
Kind regards,
Jeroen van Meeuwen -kanarip
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Antonio Olivares wrote:
Dear fellow testers and selinux experts,
selinux is stopping NetworkManager from doing its job. To get internet, I have to manually type # dhclient eth0 and get internet connection.
Summary:
SELinux is preventing dhclient (dhcpc_t) "read write" unconfined_t.
Detailed Description:
SELinux denied access requested by dhclient. It is not expected that this access is required by dhclient and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects socket [ unix_stream_socket ] Source dhclient Source Path /sbin/dhclient Port <Unknown> Host riohigh Source RPM Packages dhclient-4.1.0-10.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.8-1.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name riohigh Platform Linux riohigh 2.6.29-0.215.rc7.fc11.i586 #1 SMP Sun Mar 8 23:25:31 EDT 2009 i686 athlon Alert Count 6 First Seen Fri 06 Mar 2009 04:16:01 PM CST Last Seen Mon 09 Mar 2009 05:22:13 PM CST Local ID a9c1d6de-334d-4f45-99bb-470f0f97e3ff Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1236640933.104:39): avc: denied { read write } for pid=3313 comm="dhclient" path="socket:[15009]" dev=sockfs ino=15009 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=SYSCALL msg=audit(1236640933.104:39): arch=40000003 syscall=11 success=yes exit=0 a0=85082b8 a1=8517f20 a2=8517f60 a3=8517f20 items=0 ppid=3265 pid=3313 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="dhclient" exe="/sbin/dhclient" subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null)
Guess it applies over here:
Summary:
SELinux is preventing NetworkManager (NetworkManager_t) "read write" unconfined_t.
Detailed Description:
SELinux denied access requested by NetworkManager. It is not expected that this access is required by NetworkManager and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context unconfined_u:system_r:NetworkManager_t:s0 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects socket [ unix_stream_socket ] Source NetworkManager Source Path /usr/sbin/NetworkManager Port <Unknown> Host riohigh Source RPM Packages NetworkManager-0.7.0.99-1.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.7-2.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name riohigh Platform Linux riohigh 2.6.29-0.203.rc7.fc11.i586 #1 SMP Wed Mar 4 18:03:29 EST 2009 i686 athlon Alert Count 5 First Seen Mon 23 Feb 2009 07:23:54 AM CST Last Seen Fri 06 Mar 2009 04:15:00 PM CST Local ID f192ed25-15af-43fd-aa2e-524cca16b88a Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=SYSCALL msg=audit(1236377700.684:236): arch=40000003 syscall=11 success=yes exit=0 a0=84f2ee0 a1=84f2e30 a2=84f2268 a3=84f2e30 items=0 ppid=14461 pid=14462 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=10 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null)
I do not get eth0 active upon starting up, since selinux stops NetworkManager from getting IP automagically :(.
Regards,
Antonio
I am not sure this is an SELinux issue. The errors you are showing above are related to a leaked file descriptor, probably in konsole, when you did a service networkmanager restart.
If you put the machine in permissive mode or set NetworkManager_t as perissive does the network come up?
--- On Mon, 3/9/09, Antonio Olivares olivares14031@yahoo.com wrote:
From: Antonio Olivares olivares14031@yahoo.com Subject: selinux stopping NetworkManager from doing its job. To: fedora-selinux-list@redhat.com Cc: fedora-test-list@redhat.com Date: Monday, March 9, 2009, 4:31 PM Dear fellow testers and selinux experts,
selinux is stopping NetworkManager from doing its job. To get internet, I have to manually type # dhclient eth0 and get internet connection.
Summary:
SELinux is preventing dhclient (dhcpc_t) "read write" unconfined_t.
Detailed Description:
SELinux denied access requested by dhclient. It is not expected that this access is required by dhclient and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access
- see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects socket [ unix_stream_socket ] Source dhclient Source Path /sbin/dhclient Port <Unknown> Host riohigh Source RPM Packages dhclient-4.1.0-10.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.8-1.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name riohigh Platform Linux riohigh 2.6.29-0.215.rc7.fc11.i586 #1 SMP Sun Mar 8 23:25:31 EDT 2009 i686 athlon Alert Count 6 First Seen Fri 06 Mar 2009 04:16:01 PM CST Last Seen Mon 09 Mar 2009 05:22:13 PM CST Local ID a9c1d6de-334d-4f45-99bb-470f0f97e3ff Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1236640933.104:39): avc: denied { read write } for pid=3313 comm="dhclient" path="socket:[15009]" dev=sockfs ino=15009 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=SYSCALL msg=audit(1236640933.104:39): arch=40000003 syscall=11 success=yes exit=0 a0=85082b8 a1=8517f20 a2=8517f60 a3=8517f20 items=0 ppid=3265 pid=3313 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="dhclient" exe="/sbin/dhclient" subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null)
Guess it applies over here:
Summary:
SELinux is preventing NetworkManager (NetworkManager_t) "read write" unconfined_t.
Detailed Description:
SELinux denied access requested by NetworkManager. It is not expected that this access is required by NetworkManager and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access
- see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context unconfined_u:system_r:NetworkManager_t:s0 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects socket [ unix_stream_socket ] Source NetworkManager Source Path /usr/sbin/NetworkManager Port <Unknown> Host riohigh Source RPM Packages NetworkManager-0.7.0.99-1.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.7-2.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name riohigh Platform Linux riohigh 2.6.29-0.203.rc7.fc11.i586 #1 SMP Wed Mar 4 18:03:29 EST 2009 i686 athlon Alert Count 5 First Seen Mon 23 Feb 2009 07:23:54 AM CST Last Seen Fri 06 Mar 2009 04:15:00 PM CST Local ID f192ed25-15af-43fd-aa2e-524cca16b88a Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=SYSCALL msg=audit(1236377700.684:236): arch=40000003 syscall=11 success=yes exit=0 a0=84f2ee0 a1=84f2e30 a2=84f2268 a3=84f2e30 items=0 ppid=14461 pid=14462 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=10 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null)
I do not get eth0 active upon starting up, since selinux stops NetworkManager from getting IP automagically :(.
Regards,
Antonio
-- fedora-test-list mailing list fedora-test-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-test-list
I have used selinux=0 to troubleshoot this, and crontab now works(with selinux disabled), and also NetworkManager was not doing its job, I don't know what did it, but /etc/sysconfig/network-scripts/ifcfg-eth0 was modified and now it should work. Here's what I did:
checked that I could see what is in my crontab( now I don't get message that pam configuration), I wondered what was going on?
[olivares@riohigh ~]$ crontab -l 30 17 * * 1-5 ~/alarm &> /dev/null 30 21 * * 1-5 killall -9 /usr/bin/mplayer &> /dev/null 32 23 * * 1-5 /usr/bin/poweroff &> /dev/null
Good, one down, several more to go:
[olivares@riohigh ~]$ su - Password: [root@riohigh ~]# service NetworkManager stop Stopping NetworkManager daemon: [ OK ] [root@riohigh ~]# service NetworkManager start Setting network parameters... [ OK ] Starting NetworkManager daemon: [ OK ] [root@riohigh ~]# cat /etc/sysconfig/ atd keyboard auditd lm_sensors authconfig modules/ bittorrent netconsole bluetooth network cbq/ networking/ clock network-scripts/ console/ nfs cpuspeed nspluginwrapper crond ntpd crontab ntpdate firstboot prelink grub readonly-root hsqldb rsyslog httpd samba hw-uuid saslauthd i18n selinux init sendmail ip6tables smartmontools ip6tables-config snmpd iptables system-config-firewall [root@riohigh ~]# cat /etc/sysconfig/net netconsole network networking/ network-scripts/ [root@riohigh ~]# cat /etc/sysconfig/network network networking/ network-scripts/ [root@riohigh ~]# cat /etc/sysconfig/network-scripts/ ifcfg-eth0 ifdown-sl ifup-post ifcfg-lo ifdown-tunnel ifup-ppp ifdown ifup ifup-routes ifdown-bnep ifup-aliases ifup-sit ifdown-eth ifup-bnep ifup-sl ifdown-ippp ifup-eth ifup-tunnel ifdown-ipsec ifup-ippp ifup-wireless ifdown-ipv6 ifup-ipsec init.ipv6-global ifdown-isdn ifup-ipv6 net.hotplug ifdown-post ifup-ipx network-functions ifdown-ppp ifup-isdn network-functions-ipv6 ifdown-routes ifup-plip ifdown-sit ifup-plusb
was this
[root@riohigh ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 # VIA Technologies, Inc. VT6102 [Rhine-II] DEVICE=eth0 HWADDR=00:50:2c:a2:23:28 ONBOOT=no NM_CONTROLLED= [root@riohigh ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth0 You have new mail in /var/spool/mail/root
I changed it to
[root@riohigh ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 # VIA Technologies, Inc. VT6102 [Rhine-II] DEVICE=eth0 HWADDR=00:50:2c:a2:23:28 ONBOOT=yes NM_CONTROLLED=yes
I will restart system and hope that all is well and report back and see if selinux automatically relabels everything by itself, normally this happens when I have used selinux=0 booting parameter. It has been a while since I have to start network manually and it should work by itself.
Regards,
Antonio
On 03/25/2009 06:20 PM, Antonio Olivares wrote:
--- On Mon, 3/9/09, Antonio Olivaresolivares14031@yahoo.com wrote:
From: Antonio Olivaresolivares14031@yahoo.com Subject: selinux stopping NetworkManager from doing its job. To: fedora-selinux-list@redhat.com Cc: fedora-test-list@redhat.com Date: Monday, March 9, 2009, 4:31 PM Dear fellow testers and selinux experts,
selinux is stopping NetworkManager from doing its job. To get internet, I have to manually type # dhclient eth0 and get internet connection.
Summary:
SELinux is preventing dhclient (dhcpc_t) "read write" unconfined_t.
Detailed Description:
SELinux denied access requested by dhclient. It is not expected that this access is required by dhclient and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access
- see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects socket [ unix_stream_socket ] Source dhclient Source Path /sbin/dhclient Port<Unknown> Host riohigh Source RPM Packages dhclient-4.1.0-10.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.8-1.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name riohigh Platform Linux riohigh 2.6.29-0.215.rc7.fc11.i586 #1 SMP Sun Mar 8 23:25:31 EDT 2009 i686 athlon Alert Count 6 First Seen Fri 06 Mar 2009 04:16:01 PM CST Last Seen Mon 09 Mar 2009 05:22:13 PM CST Local ID a9c1d6de-334d-4f45-99bb-470f0f97e3ff Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1236640933.104:39): avc: denied { read write } for pid=3313 comm="dhclient" path="socket:[15009]" dev=sockfs ino=15009 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=SYSCALL msg=audit(1236640933.104:39): arch=40000003 syscall=11 success=yes exit=0 a0=85082b8 a1=8517f20 a2=8517f60 a3=8517f20 items=0 ppid=3265 pid=3313 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="dhclient" exe="/sbin/dhclient" subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null)
Guess it applies over here:
Summary:
SELinux is preventing NetworkManager (NetworkManager_t) "read write" unconfined_t.
Detailed Description:
SELinux denied access requested by NetworkManager. It is not expected that this access is required by NetworkManager and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access
- see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context unconfined_u:system_r:NetworkManager_t:s0 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects socket [ unix_stream_socket ] Source NetworkManager Source Path /usr/sbin/NetworkManager Port<Unknown> Host riohigh Source RPM Packages NetworkManager-0.7.0.99-1.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.7-2.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name riohigh Platform Linux riohigh 2.6.29-0.203.rc7.fc11.i586 #1 SMP Wed Mar 4 18:03:29 EST 2009 i686 athlon Alert Count 5 First Seen Mon 23 Feb 2009 07:23:54 AM CST Last Seen Fri 06 Mar 2009 04:15:00 PM CST Local ID f192ed25-15af-43fd-aa2e-524cca16b88a Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=SYSCALL msg=audit(1236377700.684:236): arch=40000003 syscall=11 success=yes exit=0 a0=84f2ee0 a1=84f2e30 a2=84f2268 a3=84f2e30 items=0 ppid=14461 pid=14462 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=10 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null)
I do not get eth0 active upon starting up, since selinux stops NetworkManager from getting IP automagically :(.
Regards,
Antonio
-- fedora-test-list mailing list fedora-test-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-test-list
I have used selinux=0 to troubleshoot this, and crontab now works(with selinux disabled), and also NetworkManager was not doing its job, I don't know what did it, but /etc/sysconfig/network-scripts/ifcfg-eth0 was modified and now it should work. Here's what I did:
checked that I could see what is in my crontab( now I don't get message that pam configuration), I wondered what was going on?
[olivares@riohigh ~]$ crontab -l 30 17 * * 1-5 ~/alarm&> /dev/null 30 21 * * 1-5 killall -9 /usr/bin/mplayer&> /dev/null 32 23 * * 1-5 /usr/bin/poweroff&> /dev/null
Good, one down, several more to go:
[olivares@riohigh ~]$ su - Password: [root@riohigh ~]# service NetworkManager stop Stopping NetworkManager daemon: [ OK ] [root@riohigh ~]# service NetworkManager start Setting network parameters... [ OK ] Starting NetworkManager daemon: [ OK ] [root@riohigh ~]# cat /etc/sysconfig/ atd keyboard auditd lm_sensors authconfig modules/ bittorrent netconsole bluetooth network cbq/ networking/ clock network-scripts/ console/ nfs cpuspeed nspluginwrapper crond ntpd crontab ntpdate firstboot prelink grub readonly-root hsqldb rsyslog httpd samba hw-uuid saslauthd i18n selinux init sendmail ip6tables smartmontools ip6tables-config snmpd iptables system-config-firewall [root@riohigh ~]# cat /etc/sysconfig/net netconsole network networking/ network-scripts/ [root@riohigh ~]# cat /etc/sysconfig/network network networking/ network-scripts/ [root@riohigh ~]# cat /etc/sysconfig/network-scripts/ ifcfg-eth0 ifdown-sl ifup-post ifcfg-lo ifdown-tunnel ifup-ppp ifdown ifup ifup-routes ifdown-bnep ifup-aliases ifup-sit ifdown-eth ifup-bnep ifup-sl ifdown-ippp ifup-eth ifup-tunnel ifdown-ipsec ifup-ippp ifup-wireless ifdown-ipv6 ifup-ipsec init.ipv6-global ifdown-isdn ifup-ipv6 net.hotplug ifdown-post ifup-ipx network-functions ifdown-ppp ifup-isdn network-functions-ipv6 ifdown-routes ifup-plip ifdown-sit ifup-plusb
was this
[root@riohigh ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 # VIA Technologies, Inc. VT6102 [Rhine-II] DEVICE=eth0 HWADDR=00:50:2c:a2:23:28 ONBOOT=no NM_CONTROLLED= [root@riohigh ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth0 You have new mail in /var/spool/mail/root
I changed it to
[root@riohigh ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 # VIA Technologies, Inc. VT6102 [Rhine-II] DEVICE=eth0 HWADDR=00:50:2c:a2:23:28 ONBOOT=yes NM_CONTROLLED=yes
I will restart system and hope that all is well and report back and see if selinux automatically relabels everything by itself, normally this happens when I have used selinux=0 booting parameter. It has been a while since I have to start network manually and it should work by itself.
Regards,
Antonio
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You should just use enforcing=0 which will boot in permissive mode, then you do not need to deal with relabeling.
selinux@lists.fedoraproject.org