LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   SELinux has blocked my internet (http://www.linuxquestions.org/questions/linux-security-4/selinux-has-blocked-my-internet-711328/)

prashant.saraf 03-13-2009 08:01 AM

SELinux has blocked my internet
 
Hi,
SELinux has blocked my internet, and i did not under the logs. Can someone help me out.

Code:

LOG

Summary:

SELinux is preventing NetworkManager (NetworkManager_t) "execute" to ./udevadm
(udev_exec_t).

Detailed Description:

SELinux denied access requested by NetworkManager. It is not expected that this
access is required by NetworkManager and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./udevadm,

restorecon -v './udevadm'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:udev_exec_t:s0
Target Objects                ./udevadm [ file ]
Source                        NetworkManager
Source Path                  /usr/sbin/NetworkManager
Port                          <Unknown>
Host                          xpro.blackperl
Source RPM Packages          NetworkManager-0.7.0.99-1.fc10
Target RPM Packages         
Policy RPM                    selinux-policy-3.5.13-45.fc10
Selinux Enabled              True
Policy Type                  targeted
MLS Enabled                  True
Enforcing Mode                Enforcing
Plugin Name                  catchall_file
Host Name                    xpro.blackperl
Platform                      Linux xpro.blackperl 2.6.27.15-170.2.24.fc10.i686
                              #1 SMP Wed Feb 11 23:58:12 EST 2009 i686 i686
Alert Count                  1
First Seen                    Tuesday 10 March 2009 09:34:49 AM IST
Last Seen                    Tuesday 10 March 2009 10:08:33 AM IST
Local ID                      8c570041-c0c3-4a34-9d4d-6089784e2a03
Line Numbers                 

Raw Audit Messages           

node=xpro.blackperl type=AVC msg=audit(1236659913.44:22): avc:  denied  { execute } for  pid=3526 comm="NetworkManager" name="udevadm" dev=dm-0 ino=655611 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file

node=xpro.blackperl type=SYSCALL msg=audit(1236659913.44:22): arch=40000003 syscall=11 success=no exit=-13 a0=809eb60 a1=bfd9ec0c a2=bfda0020 a3=809eb60 items=0 ppid=2190 pid=3526 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)


H_TeXMeX_H 03-13-2009 08:44 AM

Are you using a server or a desktop / workstation ? i.e. do you absolutely have to have SELinux enabled, because I think you should turn it off, it's a PITA. Unless, of course, your company tells you to keep it on.

slimm609 03-13-2009 10:07 AM

I am sorry but please disregard the statement above. The last thing we should do on LQ is tell members to disable security services because they are "hard to use"/"lack of knowledge".

It just looks like selinux does not have a policy for it.

I am guessing you are running the default policy so we should be able to create a module for selinux to allow it.

type
setenforce 0
the try and start network manager again and it should be successful. ( it will log that it is not allowed but it will allow it to work)

then cd to a tmp dir. like /tmp
run audit2allow -a -l -m netmanager
that will create a module for selinux to use ( as long as you have a modular policy and not a monolithic policy)
then in the same directory run
semodule -i netmanager.pp ( i think it is .pp there are 3 files that audit2allow creates but it will only allow one to work with semodule)

then you can type setenforce 1 and it should work from then on.

unSpawn 03-13-2009 10:11 AM

I too agree the subjective opinion of one person (who might not even run SE Linux, GRSecurity, LIDS or equivalent himself) shouldn't keep you from running SE Linux. There is no realistic equivalent in the GNU/Linux world that is maintained and supported like this, gains adaptation and helps distributions get EAL certified. What's more is that SE Linux has proven itself by actually mitigating or stopping malicious activity (see Dan Walsh web log). Also everyone enabling it can help make it better just by running it, getting bugs resolved and policies updated. And unlike other solutions you get the upstream policies so you don't have to build any from scratch (unless you need MLS or like that) to work with SE Linux. And even if you would need to adjust your policy there's lots of tools and documentation to help you get going in no time.

In short: yes, SE Linux is worthwhile enabling. Offering only the opinion it's a PITA for not running SE Linux is not about progress and community but stagnation, standstill. It is not objective nor does it actually help anybody.


While there may be other ways, to target the above AVC message 8c570041-c0c3-4a34-9d4d-6089784e2a03 only one local policy adjustment rule is needed. To get the code below run 'sealert -l 8c570041-c0c3-4a34-9d4d-6089784e2a03|audit2allow -r'. Full module code:
Code:

module local 1.0;

require {
        type NetworkManager_t;
        type udev_exec_t;
        class file execute;
}

#============= NetworkManager_t ==============
allow NetworkManager_t udev_exec_t:file execute;


prashant.saraf 03-13-2009 10:25 AM

Thanks for the reply, I am using Fedora 10 desktop edition, I use it for my java development. I am new to Linux and did not understand why it stop. I will try option give above.

Thanks
Prashant Saraf

H_TeXMeX_H 03-13-2009 11:19 AM

Unless you're running a mission critical server I see this as over-complication and with minimal benefit. It's more likely to mess things up than keep things secure. Yeah, sure, it's IMO. I have used it, BTW, and this is not the worst that can happen if you misconfigure it accidentally, so do be careful.

prashant.saraf 03-13-2009 11:25 AM

i run the setenforce 0 and bang it is working gre8!!

unSpawn 03-13-2009 01:01 PM

Quote:

Originally Posted by prashant.saraf (Post 3474432)
i run the setenforce 0 and bang it is working gre8!!

If you read slimm609's reply well you will see that running "setenforce 0" is just the first step and that putting SE Linux in permissive mode is not the full solution.



Quote:

Originally Posted by H_TeXMeX_H (Post 3474426)
Unless you're running a mission critical server I see this as over-complication and with minimal benefit. It's more likely to mess things up than keep things secure. Yeah, sure, it's IMO.

Not only that, but unless you manage to post actual examples it amounts to FUD. And that is something we will not have in this forum. Here's some R/L facts: HPLIP, Mambo, Apache, OpenPegasus and Flash.

prashant.saraf 03-13-2009 01:44 PM

Thanks unSpawn,
I tried next step,
I have created a test directory into /tmp
then run the
audit2allow -a -l -m netmanager
and get following output and no file is generated.
Code:

module netmanager 1.0;

require {
        type NetworkManager_t;
        type udev_exec_t;
        type xdm_t;
        type root_t;
        class dir create;
        class file execute;
}

#============= NetworkManager_t ==============
allow NetworkManager_t udev_exec_t:file execute;

#============= xdm_t ==============
allow xdm_t root_t:dir create;

What i need to do next. Sorry i am totally new to this.

rweaver 03-13-2009 02:25 PM

Quote:

Originally Posted by H_TeXMeX_H (Post 3474284)
Are you using a server or a desktop / workstation ? i.e. do you absolutely have to have SELinux enabled, because I think you should turn it off, it's a PITA. Unless, of course, your company tells you to keep it on.

I agree that SELinux is a PITA, however, unless you're an expert admin its better to keep all the security active that you can and in this case the problem is relatively easy to fix.

custangro 03-13-2009 02:52 PM

Quote:

Originally Posted by prashant.saraf (Post 3474240)
Hi,
SELinux has blocked my internet, and i did not under the logs. Can someone help me out.

Code:

LOG

Summary:

SELinux is preventing NetworkManager (NetworkManager_t) "execute" to ./udevadm
(udev_exec_t).

Detailed Description:

SELinux denied access requested by NetworkManager. It is not expected that this
access is required by NetworkManager and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./udevadm,

restorecon -v './udevadm'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:udev_exec_t:s0
Target Objects                ./udevadm [ file ]
Source                        NetworkManager
Source Path                  /usr/sbin/NetworkManager
Port                          <Unknown>
Host                          xpro.blackperl
Source RPM Packages          NetworkManager-0.7.0.99-1.fc10
Target RPM Packages         
Policy RPM                    selinux-policy-3.5.13-45.fc10
Selinux Enabled              True
Policy Type                  targeted
MLS Enabled                  True
Enforcing Mode                Enforcing
Plugin Name                  catchall_file
Host Name                    xpro.blackperl
Platform                      Linux xpro.blackperl 2.6.27.15-170.2.24.fc10.i686
                              #1 SMP Wed Feb 11 23:58:12 EST 2009 i686 i686
Alert Count                  1
First Seen                    Tuesday 10 March 2009 09:34:49 AM IST
Last Seen                    Tuesday 10 March 2009 10:08:33 AM IST
Local ID                      8c570041-c0c3-4a34-9d4d-6089784e2a03
Line Numbers                 

Raw Audit Messages           

node=xpro.blackperl type=AVC msg=audit(1236659913.44:22): avc:  denied  { execute } for  pid=3526 comm="NetworkManager" name="udevadm" dev=dm-0 ino=655611 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file

node=xpro.blackperl type=SYSCALL msg=audit(1236659913.44:22): arch=40000003 syscall=11 success=no exit=-13 a0=809eb60 a1=bfd9ec0c a2=bfda0020 a3=809eb60 items=0 ppid=2190 pid=3526 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)


what is the output of...

Code:

root@fedora# getsebool -a |grep -i network
-C

slimm609 03-13-2009 05:48 PM

Quote:

Originally Posted by prashant.saraf (Post 3474579)
Thanks unSpawn,
I tried next step,
I have created a test directory into /tmp
then run the
audit2allow -a -l -m netmanager
and get following output and no file is generated.
Code:

module netmanager 1.0;

require {
        type NetworkManager_t;
        type udev_exec_t;
        type xdm_t;
        type root_t;
        class dir create;
        class file execute;
}

#============= NetworkManager_t ==============
allow NetworkManager_t udev_exec_t:file execute;

#============= xdm_t ==============
allow xdm_t root_t:dir create;

What i need to do next. Sorry i am totally new to this.



sorry about that. did not have a redhat/fedora box by me only solaris boxes so i just had to go off of memory. its audit2allow -a -l -M netmanager

the M is the one you want not the lowercase. That should fix the problem

prashant.saraf 03-14-2009 04:07 AM

Quote:

Originally Posted by rweaver (Post 3474626)
I agree that SELinux is a PITA, however, unless you're an expert admin its better to keep all the security active that you can and in this case the problem is relatively easy to fix.

Hi I am not the expert admin, I am running a desktop system, I am Java Developer, run several servers(tomcat, mysql,php, weblogic, glassfish, jboss). And I just migrated from my Vista to Fedora 10.

Thanks slimm609, I tried
Code:

audit2allow -a -l -M netmanager
and it worked.

The output of
Code:

root@fedora# getsebool -a |grep -i network
Code:

httpd_can_network_connect --> off
httpd_can_network_connect_db --> off
httpd_can_network_relay --> off
nsplugin_can_network --> on
qemu_full_network --> on
spamassassin_can_network --> off
xguest_connect_network --> on

Thank you every one for helping me.

-Prashant

jschiwal 03-14-2009 04:49 AM

I played around with Fedora 10 on my old laptop. When I got an SE Linux alert, I would copy the alert from the popup, and then copy it to a file.
e.g.
cat >netmanager
[PRESS CTRL-V to paste alert to file & press CTRL-D]

Then I would run "audit2allow -M netmanager". This created a netmanager.te and netmanager.pp file (IIRC)

Next I would run "sudo semodule -i netmanager.pp"

This way, I only included the last exception that I knew I triggered myself in the audit2allow command. I hadn't learned how to analyse what the policy audit exceptions meant, so I didn't trust myself to use the entire audit log to generate a policy.
I created a directory to store the policy files so they wouldn't cause clutter.

It was a little frustrating at first because I had to repeat the process several times before I could run flash in Firefox. But after the first couple days, it settled down and it was so long before my next exception that I forgot how to do it! I do wish that they hadn't changed the Fedora web site, because the link embedded in the GUI alert used to take you directly to the instructions for dealing with it. Now you end up at a page with a myriad of options instead.


All times are GMT -5. The time now is 02:37 PM.