6:31 p.m.
Dear fellow testers and selinux experts,
selinux is stopping NetworkManager from doing its job. To get internet, I have to
manually type # dhclient eth0
and get internet connection.
Summary:
SELinux is preventing dhclient (dhcpc_t) "read write" unconfined_t.
Detailed Description:
SELinux denied access requested by dhclient. It is not expected that this access
is required by dhclient and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects socket [ unix_stream_socket ]
Source dhclient
Source Path /sbin/dhclient
Port <Unknown>
Host riohigh
Source RPM Packages dhclient-4.1.0-10.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.8-1.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name riohigh
Platform Linux riohigh 2.6.29-0.215.rc7.fc11.i586 #1 SMP
Sun Mar 8 23:25:31 EDT 2009 i686 athlon
Alert Count 6
First Seen Fri 06 Mar 2009 04:16:01 PM CST
Last Seen Mon 09 Mar 2009 05:22:13 PM CST
Local ID a9c1d6de-334d-4f45-99bb-470f0f97e3ff
Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1236640933.104:39): avc: denied { read write } for
pid=3313 comm="dhclient" path="socket:[15009]" dev=sockfs ino=15009
scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=SYSCALL msg=audit(1236640933.104:39): arch=40000003 syscall=11
success=yes exit=0 a0=85082b8 a1=8517f20 a2=8517f60 a3=8517f20 items=0 ppid=3265 pid=3313
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1
comm="dhclient" exe="/sbin/dhclient"
subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null)
Guess it applies over here:
Summary:
SELinux is preventing NetworkManager (NetworkManager_t) "read write"
unconfined_t.
Detailed Description:
SELinux denied access requested by NetworkManager. It is not expected that this
access is required by NetworkManager and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:system_r:NetworkManager_t:s0
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects socket [ unix_stream_socket ]
Source NetworkManager
Source Path /usr/sbin/NetworkManager
Port <Unknown>
Host riohigh
Source RPM Packages NetworkManager-0.7.0.99-1.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.7-2.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name riohigh
Platform Linux riohigh 2.6.29-0.203.rc7.fc11.i586 #1 SMP
Wed Mar 4 18:03:29 EST 2009 i686 athlon
Alert Count 5
First Seen Mon 23 Feb 2009 07:23:54 AM CST
Last Seen Fri 06 Mar 2009 04:15:00 PM CST
Local ID f192ed25-15af-43fd-aa2e-524cca16b88a
Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for
pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs
ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for
pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs
ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for
pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs
ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=SYSCALL msg=audit(1236377700.684:236): arch=40000003 syscall=11
success=yes exit=0 a0=84f2ee0 a1=84f2e30 a2=84f2268 a3=84f2e30 items=0 ppid=14461
pid=14462 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=10
comm="NetworkManager" exe="/usr/sbin/NetworkManager"
subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null)
I do not get eth0 active upon starting up, since selinux stops NetworkManager from getting
IP automagically :(.
Regards,
Antonio
7:48 p.m.
Antonio Olivares wrote:
Dear fellow testers and selinux experts,
selinux is stopping NetworkManager from doing its job. To get internet, I have to
manually type # dhclient eth0
and get internet connection.
See also: https://bugzilla.redhat.com/show_bug.cgi?id=489422
Currently being worked on in #fedora-devel on irc.freenode.net
Kind regards,
Jeroen van Meeuwen
-kanarip
8:14 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Antonio Olivares wrote:
Dear fellow testers and selinux experts,
selinux is stopping NetworkManager from doing its job. To get internet, I have to
manually type # dhclient eth0
and get internet connection.
Summary:
SELinux is preventing dhclient (dhcpc_t) "read write" unconfined_t.
Detailed Description:
SELinux denied access requested by dhclient. It is not expected that this access
is required by dhclient and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects socket [ unix_stream_socket ]
Source dhclient
Source Path /sbin/dhclient
Port <Unknown>
Host riohigh
Source RPM Packages dhclient-4.1.0-10.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.8-1.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name riohigh
Platform Linux riohigh 2.6.29-0.215.rc7.fc11.i586 #1 SMP
Sun Mar 8 23:25:31 EDT 2009 i686 athlon
Alert Count 6
First Seen Fri 06 Mar 2009 04:16:01 PM CST
Last Seen Mon 09 Mar 2009 05:22:13 PM CST
Local ID a9c1d6de-334d-4f45-99bb-470f0f97e3ff
Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1236640933.104:39): avc: denied { read write } for
pid=3313 comm="dhclient" path="socket:[15009]" dev=sockfs ino=15009
scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=SYSCALL msg=audit(1236640933.104:39): arch=40000003 syscall=11
success=yes exit=0 a0=85082b8 a1=8517f20 a2=8517f60 a3=8517f20 items=0 ppid=3265 pid=3313
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1
comm="dhclient" exe="/sbin/dhclient"
subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null)
Guess it applies over here:
Summary:
SELinux is preventing NetworkManager (NetworkManager_t) "read write"
unconfined_t.
Detailed Description:
SELinux denied access requested by NetworkManager. It is not expected that this
access is required by NetworkManager and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:system_r:NetworkManager_t:s0
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects socket [ unix_stream_socket ]
Source NetworkManager
Source Path /usr/sbin/NetworkManager
Port <Unknown>
Host riohigh
Source RPM Packages NetworkManager-0.7.0.99-1.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.7-2.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name riohigh
Platform Linux riohigh 2.6.29-0.203.rc7.fc11.i586 #1 SMP
Wed Mar 4 18:03:29 EST 2009 i686 athlon
Alert Count 5
First Seen Mon 23 Feb 2009 07:23:54 AM CST
Last Seen Fri 06 Mar 2009 04:15:00 PM CST
Local ID f192ed25-15af-43fd-aa2e-524cca16b88a
Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for
pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs
ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for
pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs
ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1236377700.684:236): avc: denied { read write } for
pid=14462 comm="NetworkManager" path="socket:[26116]" dev=sockfs
ino=26116 scontext=unconfined_u:system_r:NetworkManager_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
node=riohigh type=SYSCALL msg=audit(1236377700.684:236): arch=40000003 syscall=11
success=yes exit=0 a0=84f2ee0 a1=84f2e30 a2=84f2268 a3=84f2e30 items=0 ppid=14461
pid=14462 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=10
comm="NetworkManager" exe="/usr/sbin/NetworkManager"
subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null)
I do not get eth0 active upon starting up, since selinux stops NetworkManager from
getting IP automagically :(.
Regards,
Antonio
I am not sure this is an SELinux issue. The errors you are showing
above are related to a leaked file descriptor, probably in konsole, when
you did a service networkmanager restart.
If you put the machine in permissive mode or set NetworkManager_t as
perissive does the network come up?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkm2Z6kACgkQrlYvE4MpobM0/QCgi7e8hpTiMjF6owvgjl+z6fiv
1OwAoIyN2JwxXCINi5zAP+3G1KKc1G9c
=Evy9
-----END PGP SIGNATURE-----
5:20 p.m.
--- On Mon, 3/9/09, Antonio Olivares <olivares14031(a)yahoo.com> wrote:
From: Antonio Olivares <olivares14031(a)yahoo.com>
Subject: selinux stopping NetworkManager from doing its job.
To: fedora-selinux-list(a)redhat.com
Cc: fedora-test-list(a)redhat.com
Date: Monday, March 9, 2009, 4:31 PM
Dear fellow testers and selinux experts,
selinux is stopping NetworkManager from doing its job. To
get internet, I have to manually type # dhclient eth0
and get internet connection.
Summary:
SELinux is preventing dhclient (dhcpc_t) "read
write" unconfined_t.
Detailed Description:
SELinux denied access requested by dhclient. It is not
expected that this access
is required by dhclient and this access may signal an
intrusion attempt. It is
also possible that the specific version or configuration of
the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access
- see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)
Or you can disable
SELinux protection altogether. Disabling SELinux protection
is not recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context
unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
Target Context
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects socket [ unix_stream_socket ]
Source dhclient
Source Path /sbin/dhclient
Port <Unknown>
Host riohigh
Source RPM Packages dhclient-4.1.0-10.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.8-1.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name riohigh
Platform Linux riohigh
2.6.29-0.215.rc7.fc11.i586 #1 SMP
Sun Mar 8 23:25:31 EDT 2009
i686 athlon
Alert Count 6
First Seen Fri 06 Mar 2009 04:16:01 PM
CST
Last Seen Mon 09 Mar 2009 05:22:13 PM
CST
Local ID
a9c1d6de-334d-4f45-99bb-470f0f97e3ff
Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1236640933.104:39): avc:
denied { read write } for pid=3313
comm="dhclient" path="socket:[15009]"
dev=sockfs ino=15009
scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=unix_stream_socket
node=riohigh type=SYSCALL msg=audit(1236640933.104:39):
arch=40000003 syscall=11 success=yes exit=0 a0=85082b8
a1=8517f20 a2=8517f60 a3=8517f20 items=0 ppid=3265 pid=3313
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts1 ses=1 comm="dhclient"
exe="/sbin/dhclient"
subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null)
Guess it applies over here:
Summary:
SELinux is preventing NetworkManager (NetworkManager_t)
"read write"
unconfined_t.
Detailed Description:
SELinux denied access requested by NetworkManager. It is
not expected that this
access is required by NetworkManager and this access may
signal an intrusion
attempt. It is also possible that the specific version or
configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access
- see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)
Or you can disable
SELinux protection altogether. Disabling SELinux protection
is not recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context
unconfined_u:system_r:NetworkManager_t:s0
Target Context
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects socket [ unix_stream_socket ]
Source NetworkManager
Source Path /usr/sbin/NetworkManager
Port <Unknown>
Host riohigh
Source RPM Packages
NetworkManager-0.7.0.99-1.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.7-2.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name riohigh
Platform Linux riohigh
2.6.29-0.203.rc7.fc11.i586 #1 SMP
Wed Mar 4 18:03:29 EST 2009
i686 athlon
Alert Count 5
First Seen Mon 23 Feb 2009 07:23:54 AM
CST
Last Seen Fri 06 Mar 2009 04:15:00 PM
CST
Local ID
f192ed25-15af-43fd-aa2e-524cca16b88a
Line Numbers
Raw Audit Messages
node=riohigh type=AVC msg=audit(1236377700.684:236): avc:
denied { read write } for pid=14462
comm="NetworkManager"
path="socket:[26116]" dev=sockfs ino=26116
scontext=unconfined_u:system_r:NetworkManager_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1236377700.684:236): avc:
denied { read write } for pid=14462
comm="NetworkManager"
path="socket:[26116]" dev=sockfs ino=26116
scontext=unconfined_u:system_r:NetworkManager_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=unix_stream_socket
node=riohigh type=AVC msg=audit(1236377700.684:236): avc:
denied { read write } for pid=14462
comm="NetworkManager"
path="socket:[26116]" dev=sockfs ino=26116
scontext=unconfined_u:system_r:NetworkManager_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=unix_stream_socket
node=riohigh type=SYSCALL msg=audit(1236377700.684:236):
arch=40000003 syscall=11 success=yes exit=0 a0=84f2ee0
a1=84f2e30 a2=84f2268 a3=84f2e30 items=0 ppid=14461
pid=14462 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts1 ses=10
comm="NetworkManager"
exe="/usr/sbin/NetworkManager"
subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null)
I do not get eth0 active upon starting up, since selinux
stops NetworkManager from getting IP automagically :(.
Regards,
Antonio
--
fedora-test-list mailing list
fedora-test-list(a)redhat.com
To unsubscribe:
https://www.redhat.com/mailman/listinfo/fedora-test-list
I have used selinux=0 to troubleshoot this, and crontab now works(with selinux disabled),
and also NetworkManager was not doing its job, I don't know what did it, but
/etc/sysconfig/network-scripts/ifcfg-eth0 was modified and now it should work. Here's
what I did:
checked that I could see what is in my crontab( now I don't get message that pam
configuration), I wondered what was going on?
[olivares@riohigh ~]$ crontab -l
30 17 * * 1-5 ~/alarm &> /dev/null
30 21 * * 1-5 killall -9 /usr/bin/mplayer &> /dev/null
32 23 * * 1-5 /usr/bin/poweroff &> /dev/null
Good, one down, several more to go:
[olivares@riohigh ~]$ su -
Password:
[root@riohigh ~]# service NetworkManager stop
Stopping NetworkManager daemon: [ OK ]
[root@riohigh ~]# service NetworkManager start
Setting network parameters... [ OK ]
Starting NetworkManager daemon: [ OK ]
[root@riohigh ~]# cat /etc/sysconfig/
atd keyboard
auditd lm_sensors
authconfig modules/
bittorrent netconsole
bluetooth network
cbq/ networking/
clock network-scripts/
console/ nfs
cpuspeed nspluginwrapper
crond ntpd
crontab ntpdate
firstboot prelink
grub readonly-root
hsqldb rsyslog
httpd samba
hw-uuid saslauthd
i18n selinux
init sendmail
ip6tables smartmontools
ip6tables-config snmpd
iptables system-config-firewall
[root@riohigh ~]# cat /etc/sysconfig/net
netconsole network networking/ network-scripts/
[root@riohigh ~]# cat /etc/sysconfig/network
network networking/ network-scripts/
[root@riohigh ~]# cat /etc/sysconfig/network-scripts/
ifcfg-eth0 ifdown-sl ifup-post
ifcfg-lo ifdown-tunnel ifup-ppp
ifdown ifup ifup-routes
ifdown-bnep ifup-aliases ifup-sit
ifdown-eth ifup-bnep ifup-sl
ifdown-ippp ifup-eth ifup-tunnel
ifdown-ipsec ifup-ippp ifup-wireless
ifdown-ipv6 ifup-ipsec init.ipv6-global
ifdown-isdn ifup-ipv6 net.hotplug
ifdown-post ifup-ipx network-functions
ifdown-ppp ifup-isdn network-functions-ipv6
ifdown-routes ifup-plip
ifdown-sit ifup-plusb
was this
[root@riohigh ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
# VIA Technologies, Inc. VT6102 [Rhine-II]
DEVICE=eth0
HWADDR=00:50:2c:a2:23:28
ONBOOT=no
NM_CONTROLLED=
[root@riohigh ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth0
You have new mail in /var/spool/mail/root
I changed it to
[root@riohigh ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
# VIA Technologies, Inc. VT6102 [Rhine-II]
DEVICE=eth0
HWADDR=00:50:2c:a2:23:28
ONBOOT=yes
NM_CONTROLLED=yes
I will restart system and hope that all is well and report back and see if selinux
automatically relabels everything by itself, normally this happens when I have used
selinux=0 booting parameter. It has been a while since I have to start network manually
and it should work by itself.
Regards,
Antonio
9:32 a.m.
On 03/25/2009 06:20 PM, Antonio Olivares wrote:
--- On Mon, 3/9/09, Antonio Olivares<olivares14031(a)yahoo.com> wrote:
> From: Antonio Olivares<olivares14031(a)yahoo.com>
> Subject: selinux stopping NetworkManager from doing its job.
> To: fedora-selinux-list(a)redhat.com
> Cc: fedora-test-list(a)redhat.com
> Date: Monday, March 9, 2009, 4:31 PM
> Dear fellow testers and selinux experts,
>
> selinux is stopping NetworkManager from doing its job. To
> get internet, I have to manually type # dhclient eth0
> and get internet connection.
>
>
> Summary:
>
> SELinux is preventing dhclient (dhcpc_t) "read
> write" unconfined_t.
>
> Detailed Description:
>
> SELinux denied access requested by dhclient. It is not
> expected that this access
> is required by dhclient and this access may signal an
> intrusion attempt. It is
> also possible that the specific version or configuration of
> the application is
> causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access
> - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)
> Or you can disable
> SELinux protection altogether. Disabling SELinux protection
> is not recommended.
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context
> unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
> Target Context
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
> 023
> Target Objects socket [ unix_stream_socket ]
> Source dhclient
> Source Path /sbin/dhclient
> Port<Unknown>
> Host riohigh
> Source RPM Packages dhclient-4.1.0-10.fc11
> Target RPM Packages
> Policy RPM selinux-policy-3.6.8-1.fc11
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name riohigh
> Platform Linux riohigh
> 2.6.29-0.215.rc7.fc11.i586 #1 SMP
> Sun Mar 8 23:25:31 EDT 2009
> i686 athlon
> Alert Count 6
> First Seen Fri 06 Mar 2009 04:16:01 PM
> CST
> Last Seen Mon 09 Mar 2009 05:22:13 PM
> CST
> Local ID
> a9c1d6de-334d-4f45-99bb-470f0f97e3ff
> Line Numbers
>
> Raw Audit Messages
>
> node=riohigh type=AVC msg=audit(1236640933.104:39): avc:
> denied { read write } for pid=3313
> comm="dhclient" path="socket:[15009]"
> dev=sockfs ino=15009
> scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=unix_stream_socket
>
> node=riohigh type=SYSCALL msg=audit(1236640933.104:39):
> arch=40000003 syscall=11 success=yes exit=0 a0=85082b8
> a1=8517f20 a2=8517f60 a3=8517f20 items=0 ppid=3265 pid=3313
> auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=pts1 ses=1 comm="dhclient"
> exe="/sbin/dhclient"
> subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null)
>
>
> Guess it applies over here:
>
>
> Summary:
>
> SELinux is preventing NetworkManager (NetworkManager_t)
> "read write"
> unconfined_t.
>
> Detailed Description:
>
> SELinux denied access requested by NetworkManager. It is
> not expected that this
> access is required by NetworkManager and this access may
> signal an intrusion
> attempt. It is also possible that the specific version or
> configuration of the
> application is causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access
> - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)
> Or you can disable
> SELinux protection altogether. Disabling SELinux protection
> is not recommended.
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context
> unconfined_u:system_r:NetworkManager_t:s0
> Target Context
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
> 023
> Target Objects socket [ unix_stream_socket ]
> Source NetworkManager
> Source Path /usr/sbin/NetworkManager
> Port<Unknown>
> Host riohigh
> Source RPM Packages
> NetworkManager-0.7.0.99-1.fc11
> Target RPM Packages
> Policy RPM selinux-policy-3.6.7-2.fc11
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name riohigh
> Platform Linux riohigh
> 2.6.29-0.203.rc7.fc11.i586 #1 SMP
> Wed Mar 4 18:03:29 EST 2009
> i686 athlon
> Alert Count 5
> First Seen Mon 23 Feb 2009 07:23:54 AM
> CST
> Last Seen Fri 06 Mar 2009 04:15:00 PM
> CST
> Local ID
> f192ed25-15af-43fd-aa2e-524cca16b88a
> Line Numbers
>
> Raw Audit Messages
>
> node=riohigh type=AVC msg=audit(1236377700.684:236): avc:
> denied { read write } for pid=14462
> comm="NetworkManager"
> path="socket:[26116]" dev=sockfs ino=26116
> scontext=unconfined_u:system_r:NetworkManager_t:s0
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=unix_stream_socket
>
> node=riohigh type=AVC msg=audit(1236377700.684:236): avc:
> denied { read write } for pid=14462
> comm="NetworkManager"
> path="socket:[26116]" dev=sockfs ino=26116
> scontext=unconfined_u:system_r:NetworkManager_t:s0
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=unix_stream_socket
>
> node=riohigh type=AVC msg=audit(1236377700.684:236): avc:
> denied { read write } for pid=14462
> comm="NetworkManager"
> path="socket:[26116]" dev=sockfs ino=26116
> scontext=unconfined_u:system_r:NetworkManager_t:s0
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=unix_stream_socket
>
> node=riohigh type=SYSCALL msg=audit(1236377700.684:236):
> arch=40000003 syscall=11 success=yes exit=0 a0=84f2ee0
> a1=84f2e30 a2=84f2268 a3=84f2e30 items=0 ppid=14461
> pid=14462 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts1 ses=10
> comm="NetworkManager"
> exe="/usr/sbin/NetworkManager"
> subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null)
>
>
>
>
> I do not get eth0 active upon starting up, since selinux
> stops NetworkManager from getting IP automagically :(.
>
> Regards,
>
>
> Antonio
>
>
>
>
>
> --
> fedora-test-list mailing list
> fedora-test-list(a)redhat.com
> To unsubscribe:
> https://www.redhat.com/mailman/listinfo/fedora-test-list
I have used selinux=0 to troubleshoot this, and crontab now works(with selinux disabled),
and also NetworkManager was not doing its job, I don't know what did it, but
/etc/sysconfig/network-scripts/ifcfg-eth0 was modified and now it should work. Here's
what I did:
checked that I could see what is in my crontab( now I don't get message that pam
configuration), I wondered what was going on?
[olivares@riohigh ~]$ crontab -l
30 17 * * 1-5 ~/alarm&> /dev/null
30 21 * * 1-5 killall -9 /usr/bin/mplayer&> /dev/null
32 23 * * 1-5 /usr/bin/poweroff&> /dev/null
Good, one down, several more to go:
[olivares@riohigh ~]$ su -
Password:
[root@riohigh ~]# service NetworkManager stop
Stopping NetworkManager daemon: [ OK ]
[root@riohigh ~]# service NetworkManager start
Setting network parameters... [ OK ]
Starting NetworkManager daemon: [ OK ]
[root@riohigh ~]# cat /etc/sysconfig/
atd keyboard
auditd lm_sensors
authconfig modules/
bittorrent netconsole
bluetooth network
cbq/ networking/
clock network-scripts/
console/ nfs
cpuspeed nspluginwrapper
crond ntpd
crontab ntpdate
firstboot prelink
grub readonly-root
hsqldb rsyslog
httpd samba
hw-uuid saslauthd
i18n selinux
init sendmail
ip6tables smartmontools
ip6tables-config snmpd
iptables system-config-firewall
[root@riohigh ~]# cat /etc/sysconfig/net
netconsole network networking/ network-scripts/
[root@riohigh ~]# cat /etc/sysconfig/network
network networking/ network-scripts/
[root@riohigh ~]# cat /etc/sysconfig/network-scripts/
ifcfg-eth0 ifdown-sl ifup-post
ifcfg-lo ifdown-tunnel ifup-ppp
ifdown ifup ifup-routes
ifdown-bnep ifup-aliases ifup-sit
ifdown-eth ifup-bnep ifup-sl
ifdown-ippp ifup-eth ifup-tunnel
ifdown-ipsec ifup-ippp ifup-wireless
ifdown-ipv6 ifup-ipsec init.ipv6-global
ifdown-isdn ifup-ipv6 net.hotplug
ifdown-post ifup-ipx network-functions
ifdown-ppp ifup-isdn network-functions-ipv6
ifdown-routes ifup-plip
ifdown-sit ifup-plusb
was this
[root@riohigh ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
# VIA Technologies, Inc. VT6102 [Rhine-II]
DEVICE=eth0
HWADDR=00:50:2c:a2:23:28
ONBOOT=no
NM_CONTROLLED=
[root@riohigh ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth0
You have new mail in /var/spool/mail/root
I changed it to
[root@riohigh ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
# VIA Technologies, Inc. VT6102 [Rhine-II]
DEVICE=eth0
HWADDR=00:50:2c:a2:23:28
ONBOOT=yes
NM_CONTROLLED=yes
I will restart system and hope that all is well and report back and see if selinux
automatically relabels everything by itself, normally this happens when I have used
selinux=0 booting parameter. It has been a while since I have to start network manually
and it should work by itself.
Regards,
Antonio
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You should just use
enforcing=0 which will boot in permissive mode, then
you do not need to deal with relabeling.
5503
days inactive
5520
days old
selinux@lists.fedoraproject.org
4 comments
3 participants
participants (3)
-
Antonio Olivares -
Daniel J Walsh -
Jeroen van Meeuwen