Fedora Linux Support Community & Resources Center
Old 29th April 2012, 01:53 PM
blittle Offline
Registered User
Join Date: Jun 2007
Posts: 405
selinux "bug" NetworkManager read access to sysctl

SELinux is preventing NetworkManager from read access on the file /etc/sysctl.conf.

***** Plugin catchall (100. confidence) suggests ***************************

If you believe that NetworkManager should be allowed read access on the sysctl.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep NetworkManager /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context system_u:system_r:NetworkManager_t:s0
Target Context system_u:object_r:system_conf_t:s0
Target Objects /etc/sysctl.conf [ file ]
Source NetworkManager
Source Path NetworkManager
Port <Unknown>
Host l
Source RPM Packages
Target RPM Packages initscripts-9.34.2-1.fc16.x86_64
Policy RPM selinux-policy-3.10.0-80.fc16.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name l
Platform Linux l 3.3.2-6.fc16.x86_64 #1
SMP Sat Apr 21 12:43:20 UTC 2012 x86_64 x86_64
Alert Count 1
First Seen Sun 29 Apr 2012 05:46:22 AM PDT
Last Seen Sun 29 Apr 2012 05:46:22 AM PDT
Local ID 9020d642-4aec-4c27-92f7-432b4ffc06ec

Raw Audit Messages
type=AVC msg=audit(1335703582.220:144): avc: denied { read } for pid=988 comm="NetworkManager" name="sysctl.conf" dev="dm-1" ino=2491258 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:system_conf_t:s0 tclass=file

Hash: NetworkManager,NetworkManager_t,system_conf_t,file ,read


#============= NetworkManager_t ==============
allow NetworkManager_t system_conf_t:file read;

audit2allow -R

#============= NetworkManager_t ==============
allow NetworkManager_t system_conf_t:file read;

I haven't made any policy changes, this seems to happen when I "resume" my wireless connection, I can reproduce it by suspending the laptop, and then resuming, I'm guessing nm tries to read the state of wlan0 to make sure it's working and selinux doesn't like it.

My Smolt Profile
Reply With Quote
Old 29th April 2012, 02:19 PM
SteveGYBE Offline
Registered User
Join Date: Jun 2007
Location: Lytham St Annes, Lancashire, UK
Posts: 348
Re: selinux "bug" NetworkManager read access to sysctl

Looks like this was fixed in fixed in 3.10.0-82
$ rpm -q --changelog selinux-policy | less
* Fri Apr 06 2012 Miroslav Grepl <xxxxxx@redhat.com> 3.10.0-82
 [ . . . ]
- Allow NM to read system config file
Try a "yum update selinux-policy" if you don't want to update everything on your install - the current version is 3.10.0-84.

Last edited by SteveGYBE; 29th April 2012 at 02:25 PM.
Reply With Quote

access, bug, networkmanager, read, selinux, sysctl

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Postgresql: SELinux is preventing postmaster (postgresql_t) "read" to ./PG rhancock Security and Privacy 3 17th February 2012 09:53 AM
SELinux is preventing iptables (iptables_t) "read write" fail2ban_t. Thaidog Security and Privacy 0 19th November 2009 08:39 AM
SELinux is preventing /usr/bin/xauth "write" access on /var/lib/nxserver/home Peter_O Fedora 12 Alpha, Beta & Release Candidates 8 14th November 2009 01:36 PM
SELinux is preventing iptables (iptables_t) "read write" unconfined_t. mikequest Security and Privacy 2 13th November 2009 10:31 AM
SELinux is preventing iptables-save (iptables_t) "read write" unconfined_t. Thaidog Security and Privacy 11 5th March 2009 11:22 AM

Current GMT-time: 19:38 (Thursday, 26-11-2015)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat