[DSE-Dev] Bug#878345: avc denied read,open for NetworkManager

Harlan Lieberman-Berg hlieberman at debian.org
Fri Oct 13 00:00:56 UTC 2017 

Package: selinux-policy-default
Version: 2:2.20161023.1-10
Severity: important
User: hlieberman at debian.org
Usertags: selinux_desktop

Hello maintainers,

I'm seeing a bug in the policy around NetworkManager.  It seems that
there are a lot of problems with NetworkManager; I'm seeing lots of
denied reads to rawip_sockets, and to reading some of the systemd
logind user directories, which I'm assuming has something to do with
user-configurable connections.  The read errors are far and away the
most common, with hundreds of thousands compared to 1 of each of the
other and getattr errors.

Examples are attached.

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (900, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf

Kernel: Linux 4.12.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages selinux-policy-default depends on:
ii  libselinux1      2.7-2
ii  libsemanage1     2.7-2
ii  libsepol1        2.7-1
ii  policycoreutils  2.7-1
ii  selinux-utils    2.7-2

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.7-1
ii  setools      4.1.1-3

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- no debconf information
-------------- next part --------------
type=AVC msg=audit(1507852039.041:77024): avc:  denied  { open } for  pid=1625 comm="NetworkManager" path="/run/systemd/users/1000" dev="tmpfs" ino=53903 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1507852039.041:77025): avc:  denied  { getattr } for  pid=1625 comm="NetworkManager" path="/run/systemd/users/1000" dev="tmpfs" ino=53903 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1507852031.284:24697): avc:  denied  { read } for  pid=1625 comm="NetworkManager" lport=58 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=rawip_socket permissive=0

More information about the SELinux-devel mailing list