Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 538110 - Network Manager 1.0 selinux policy issues
Summary: Network Manager 1.0 selinux policy issues
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Jason Zaman
URL:
Whiteboard: sec-policy-r3
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-29 08:00 UTC by Jason Zaman
Modified: 2015-04-16 18:47 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jason Zaman gentoo-dev 2015-01-29 08:00:49 UTC 
1) fcontext for the dispatch dir is:
/etc/NetworkManager/dispatcher\.d(/.*)? gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
network manager needs list_dir_perms since that is not typically a label used on dirs. Also the transition into initrc was not working since it was using a labelled initrc script. Already had init_domtrans_script, needed also init_labelled_script_domtrans

list_dirs_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
read_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
init_labeled_script_domtrans(NetworkManager_t, NetworkManager_initrc_exec_t)


2) The dispatch script checks if NM is connected (stream_connect perm) and then activates the openRC service. Without this dispatch script, the OpenRC service stays marked as "inactive" which means that any services that "need net" will not start.

networkmanager_stream_connect(initrc_t)


3) nm-dispatcher has changed name. used to be NetworkManagerDispatcher but is now called nm-dispatcher.

-/usr/sbin/NetworkManagerDispatcher   --      gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-/usr/libexec/nm-dispatcher\.action   --      gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/usr/libexec/nm-dispatcher.*         --      gen_context(system_u:object_r:NetworkManager_exec_t,s0)


4) CRDA (the wifi regulatory daemon) is run by udev when the card is brought up and needs to talk to the kernel

allow udev_t self:netlink_socket create_socket_perms;


5) network manager components use rawip_sockets.

allow NetworkManager_t self:rawip_socket create_socket_perms;
allow NetworkManager_t self:unix_stream_socket connectto;

networkmanager_rw_rawip_sockets(resolvconf_t)

networkmanager_rw_rawip_sockets(initrc_t)
networkmanager_stream_connect(initrc_t)





AVC's (using auditallow thus the "granted")
disconnecting:
type=AVC msg=audit(1422518036.820:35449): avc:  granted  { create } for  pid=6992 comm="crda" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=netlink_socket
type=AVC msg=audit(1422518036.820:35450): avc:  granted  { setopt } for  pid=6992 comm="crda" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=netlink_socket
type=AVC msg=audit(1422518036.820:35451): avc:  granted  { setopt } for  pid=6992 comm="crda" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=netlink_socket
type=AVC msg=audit(1422518036.820:35452): avc:  granted  { bind } for  pid=6992 comm="crda" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=netlink_socket
type=AVC msg=audit(1422518036.820:35453): avc:  granted  { getattr } for  pid=6992 comm="crda" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=netlink_socket
type=AVC msg=audit(1422518036.820:35454): avc:  granted  { write } for  pid=6992 comm="crda" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=netlink_socket
type=AVC msg=audit(1422518036.820:35455): avc:  granted  { read } for  pid=6992 comm="crda" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=netlink_socket
type=AVC msg=audit(1422518036.820:35456): avc:  granted  { read } for  pid=6992 comm="crda" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=netlink_socket
type=AVC msg=audit(1422518036.820:35457): avc:  granted  { write } for  pid=6992 comm="crda" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=netlink_socket
type=AVC msg=audit(1422518036.820:35458): avc:  granted  { read } for  pid=6992 comm="crda" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=netlink_socket

connecting:
type=AVC msg=audit(1422518130.938:35463): avc:  granted  { create } for  pid=7334 comm="crda" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=netlink_socket
type=AVC msg=audit(1422518130.938:35464): avc:  granted  { setopt } for  pid=7334 comm="crda" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=netlink_socket
type=AVC msg=audit(1422518130.938:35465): avc:  granted  { setopt } for  pid=7334 comm="crda" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=netlink_socket
type=AVC msg=audit(1422518130.938:35466): avc:  granted  { bind } for  pid=7334 comm="crda" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=netlink_socket
type=AVC msg=audit(1422518130.938:35467): avc:  granted  { getattr } for  pid=7334 comm="crda" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=netlink_socket
type=AVC msg=audit(1422518130.938:35468): avc:  granted  { write } for  pid=7334 comm="crda" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=netlink_socket
type=AVC msg=audit(1422518130.938:35469): avc:  granted  { read } for  pid=7334 comm="crda" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=netlink_socket
type=AVC msg=audit(1422518130.938:35470): avc:  granted  { read } for  pid=7334 comm="crda" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=netlink_socket
type=AVC msg=audit(1422518130.938:35471): avc:  granted  { write } for  pid=7334 comm="crda" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=netlink_socket
type=AVC msg=audit(1422518130.939:35472): avc:  granted  { read } for  pid=7334 comm="crda" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=netlink_socket
type=AVC msg=audit(1422518130.974:35473): avc:  granted  { create } for  pid=3543 comm="NetworkManager" scontext=system_u:system_r:NetworkManager_t tcontext=system_u:system_r:NetworkManager_t tclass=rawip_socket
type=AVC msg=audit(1422518130.974:35474): avc:  granted  { setopt } for  pid=3543 comm="NetworkManager" lport=58 scontext=system_u:system_r:NetworkManager_t tcontext=system_u:system_r:NetworkManager_t tclass=rawip_socket
type=AVC msg=audit(1422518130.974:35475): avc:  granted  { setopt } for  pid=3543 comm="NetworkManager" lport=58 scontext=system_u:system_r:NetworkManager_t tcontext=system_u:system_r:NetworkManager_t tclass=rawip_socket
type=AVC msg=audit(1422518132.110:35476): avc:  granted  { getattr } for  pid=3543 comm="NetworkManager" path="socket:[2854775]" dev="sockfs" ino=2854775 scontext=system_u:system_r:NetworkManager_t tcontext=system_u:system_r:NetworkManager_t tclass=rawip_socket
type=AVC msg=audit(1422518132.111:35477): avc:  granted  { write } for  pid=3543 comm="NetworkManager" lport=58 scontext=system_u:system_r:NetworkManager_t tcontext=system_u:system_r:NetworkManager_t tclass=rawip_socket
type=AVC msg=audit(1422518132.228:35478): avc:  granted  { read write } for  pid=7345 comm="resolvconf" path="socket:[2854775]" dev="sockfs" ino=2854775 scontext=system_u:system_r:resolvconf_t tcontext=system_u:system_r:NetworkManager_t tclass=rawip_socket
type=AVC msg=audit(1422518132.233:35479): avc:  denied  { read } for  pid=7345 comm="resolvconf" name="meminfo" dev="proc" ino=4026532011 scontext=system_u:system_r:resolvconf_t tcontext=system_u:object_r:proc_t tclass=file permissive=0
type=AVC msg=audit(1422518132.245:35480): avc:  denied  { read } for  pid=7352 comm="mv" name="filesystems" dev="proc" ino=4026532066 scontext=system_u:system_r:resolvconf_t tcontext=system_u:object_r:proc_t tclass=file permissive=0
type=AVC msg=audit(1422518132.248:35481): avc:  denied  { read } for  pid=7353 comm="mkdir" name="filesystems" dev="proc" ino=4026532066 scontext=system_u:system_r:resolvconf_t tcontext=system_u:object_r:proc_t tclass=file permissive=0
type=AVC msg=audit(1422518132.271:35482): avc:  denied  { read } for  pid=7379 comm="restartcmd" name="meminfo" dev="proc" ino=4026532011 scontext=system_u:system_r:resolvconf_t tcontext=system_u:object_r:proc_t tclass=file permissive=0
type=AVC msg=audit(1422518132.275:35483): avc:  denied  { read } for  pid=7380 comm="rc-service" name="meminfo" dev="proc" ino=4026532011 scontext=system_u:system_r:resolvconf_t tcontext=system_u:object_r:proc_t tclass=file permissive=0
type=AVC msg=audit(1422518132.275:35484): avc:  granted  { read write } for  pid=7380 comm="openrc" path="socket:[2854775]" dev="sockfs" ino=2854775 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:NetworkManager_t tclass=rawip_socket
type=AVC msg=audit(1422518135.987:35485): avc:  granted  { write } for  pid=3543 comm="NetworkManager" lport=58 scontext=system_u:system_r:NetworkManager_t tcontext=system_u:system_r:NetworkManager_t tclass=rawip_socket
type=AVC msg=audit(1422518139.986:35486): avc:  granted  { write } for  pid=3543 comm="NetworkManager" lport=58 scontext=system_u:system_r:NetworkManager_t tcontext=system_u:system_r:NetworkManager_t tclass=rawip_socket
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2015-04-16 18:47:48 UTC 
r4 is stable