LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-13-2009, 08:01 AM   #1
prashant.saraf
Member
 
Registered: Mar 2009
Location: Hartford US
Distribution: Ubuntu and Fedora
Posts: 35

Rep: Reputation: 0
SELinux has blocked my internet


Hi,
SELinux has blocked my internet, and i did not under the logs. Can someone help me out.

Code:
LOG

Summary:

SELinux is preventing NetworkManager (NetworkManager_t) "execute" to ./udevadm
(udev_exec_t).

Detailed Description:

SELinux denied access requested by NetworkManager. It is not expected that this
access is required by NetworkManager and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./udevadm,

restorecon -v './udevadm'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:udev_exec_t:s0
Target Objects                ./udevadm [ file ]
Source                        NetworkManager
Source Path                   /usr/sbin/NetworkManager
Port                          <Unknown>
Host                          xpro.blackperl
Source RPM Packages           NetworkManager-0.7.0.99-1.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-45.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     xpro.blackperl
Platform                      Linux xpro.blackperl 2.6.27.15-170.2.24.fc10.i686
                              #1 SMP Wed Feb 11 23:58:12 EST 2009 i686 i686
Alert Count                   1
First Seen                    Tuesday 10 March 2009 09:34:49 AM IST
Last Seen                     Tuesday 10 March 2009 10:08:33 AM IST
Local ID                      8c570041-c0c3-4a34-9d4d-6089784e2a03
Line Numbers                  

Raw Audit Messages            

node=xpro.blackperl type=AVC msg=audit(1236659913.44:22): avc:  denied  { execute } for  pid=3526 comm="NetworkManager" name="udevadm" dev=dm-0 ino=655611 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file

node=xpro.blackperl type=SYSCALL msg=audit(1236659913.44:22): arch=40000003 syscall=11 success=no exit=-13 a0=809eb60 a1=bfd9ec0c a2=bfda0020 a3=809eb60 items=0 ppid=2190 pid=3526 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
 
Old 03-13-2009, 08:44 AM   #2
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
Are you using a server or a desktop / workstation ? i.e. do you absolutely have to have SELinux enabled, because I think you should turn it off, it's a PITA. Unless, of course, your company tells you to keep it on.
 
Old 03-13-2009, 10:07 AM   #3
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 428

Rep: Reputation: 65
I am sorry but please disregard the statement above. The last thing we should do on LQ is tell members to disable security services because they are "hard to use"/"lack of knowledge".

It just looks like selinux does not have a policy for it.

I am guessing you are running the default policy so we should be able to create a module for selinux to allow it.

type
setenforce 0
the try and start network manager again and it should be successful. ( it will log that it is not allowed but it will allow it to work)

then cd to a tmp dir. like /tmp
run audit2allow -a -l -m netmanager
that will create a module for selinux to use ( as long as you have a modular policy and not a monolithic policy)
then in the same directory run
semodule -i netmanager.pp ( i think it is .pp there are 3 files that audit2allow creates but it will only allow one to work with semodule)

then you can type setenforce 1 and it should work from then on.

Last edited by slimm609; 03-13-2009 at 10:09 AM.
 
Old 03-13-2009, 10:11 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,988
Blog Entries: 54

Rep: Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743
I too agree the subjective opinion of one person (who might not even run SE Linux, GRSecurity, LIDS or equivalent himself) shouldn't keep you from running SE Linux. There is no realistic equivalent in the GNU/Linux world that is maintained and supported like this, gains adaptation and helps distributions get EAL certified. What's more is that SE Linux has proven itself by actually mitigating or stopping malicious activity (see Dan Walsh web log). Also everyone enabling it can help make it better just by running it, getting bugs resolved and policies updated. And unlike other solutions you get the upstream policies so you don't have to build any from scratch (unless you need MLS or like that) to work with SE Linux. And even if you would need to adjust your policy there's lots of tools and documentation to help you get going in no time.

In short: yes, SE Linux is worthwhile enabling. Offering only the opinion it's a PITA for not running SE Linux is not about progress and community but stagnation, standstill. It is not objective nor does it actually help anybody.


While there may be other ways, to target the above AVC message 8c570041-c0c3-4a34-9d4d-6089784e2a03 only one local policy adjustment rule is needed. To get the code below run 'sealert -l 8c570041-c0c3-4a34-9d4d-6089784e2a03|audit2allow -r'. Full module code:
Code:
module local 1.0;

require {
        type NetworkManager_t;
        type udev_exec_t;
        class file execute;
}

#============= NetworkManager_t ==============
allow NetworkManager_t udev_exec_t:file execute;
 
Old 03-13-2009, 10:25 AM   #5
prashant.saraf
Member
 
Registered: Mar 2009
Location: Hartford US
Distribution: Ubuntu and Fedora
Posts: 35

Original Poster
Rep: Reputation: 0
Thanks for the reply, I am using Fedora 10 desktop edition, I use it for my java development. I am new to Linux and did not understand why it stop. I will try option give above.

Thanks
Prashant Saraf
 
Old 03-13-2009, 11:19 AM   #6
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
Unless you're running a mission critical server I see this as over-complication and with minimal benefit. It's more likely to mess things up than keep things secure. Yeah, sure, it's IMO. I have used it, BTW, and this is not the worst that can happen if you misconfigure it accidentally, so do be careful.
 
Old 03-13-2009, 11:25 AM   #7
prashant.saraf
Member
 
Registered: Mar 2009
Location: Hartford US
Distribution: Ubuntu and Fedora
Posts: 35

Original Poster
Rep: Reputation: 0
i run the setenforce 0 and bang it is working gre8!!
 
Old 03-13-2009, 01:01 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,988
Blog Entries: 54

Rep: Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743
Quote:
Originally Posted by prashant.saraf View Post
i run the setenforce 0 and bang it is working gre8!!
If you read slimm609's reply well you will see that running "setenforce 0" is just the first step and that putting SE Linux in permissive mode is not the full solution.



Quote:
Originally Posted by H_TeXMeX_H View Post
Unless you're running a mission critical server I see this as over-complication and with minimal benefit. It's more likely to mess things up than keep things secure. Yeah, sure, it's IMO.
Not only that, but unless you manage to post actual examples it amounts to FUD. And that is something we will not have in this forum. Here's some R/L facts: HPLIP, Mambo, Apache, OpenPegasus and Flash.
 
Old 03-13-2009, 01:44 PM   #9
prashant.saraf
Member
 
Registered: Mar 2009
Location: Hartford US
Distribution: Ubuntu and Fedora
Posts: 35

Original Poster
Rep: Reputation: 0
Thanks unSpawn,
I tried next step,
I have created a test directory into /tmp
then run the
audit2allow -a -l -m netmanager
and get following output and no file is generated.
Code:
module netmanager 1.0;

require {
	type NetworkManager_t;
	type udev_exec_t;
	type xdm_t;
	type root_t;
	class dir create;
	class file execute;
}

#============= NetworkManager_t ==============
allow NetworkManager_t udev_exec_t:file execute;

#============= xdm_t ==============
allow xdm_t root_t:dir create;
What i need to do next. Sorry i am totally new to this.
 
Old 03-13-2009, 02:25 PM   #10
rweaver
Senior Member
 
Registered: Dec 2008
Location: Louisville, OH
Distribution: Debian, CentOS, Slackware, RHEL, Gentoo
Posts: 1,833

Rep: Reputation: 163Reputation: 163
Quote:
Originally Posted by H_TeXMeX_H View Post
Are you using a server or a desktop / workstation ? i.e. do you absolutely have to have SELinux enabled, because I think you should turn it off, it's a PITA. Unless, of course, your company tells you to keep it on.
I agree that SELinux is a PITA, however, unless you're an expert admin its better to keep all the security active that you can and in this case the problem is relatively easy to fix.
 
Old 03-13-2009, 02:52 PM   #11
custangro
Senior Member
 
Registered: Nov 2006
Location: California
Distribution: Fedora , CentOS , Solaris 10, RHEL
Posts: 1,933
Blog Entries: 1

Rep: Reputation: 188Reputation: 188
Quote:
Originally Posted by prashant.saraf View Post
Hi,
SELinux has blocked my internet, and i did not under the logs. Can someone help me out.

Code:
LOG

Summary:

SELinux is preventing NetworkManager (NetworkManager_t) "execute" to ./udevadm
(udev_exec_t).

Detailed Description:

SELinux denied access requested by NetworkManager. It is not expected that this
access is required by NetworkManager and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./udevadm,

restorecon -v './udevadm'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:udev_exec_t:s0
Target Objects                ./udevadm [ file ]
Source                        NetworkManager
Source Path                   /usr/sbin/NetworkManager
Port                          <Unknown>
Host                          xpro.blackperl
Source RPM Packages           NetworkManager-0.7.0.99-1.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-45.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     xpro.blackperl
Platform                      Linux xpro.blackperl 2.6.27.15-170.2.24.fc10.i686
                              #1 SMP Wed Feb 11 23:58:12 EST 2009 i686 i686
Alert Count                   1
First Seen                    Tuesday 10 March 2009 09:34:49 AM IST
Last Seen                     Tuesday 10 March 2009 10:08:33 AM IST
Local ID                      8c570041-c0c3-4a34-9d4d-6089784e2a03
Line Numbers                  

Raw Audit Messages            

node=xpro.blackperl type=AVC msg=audit(1236659913.44:22): avc:  denied  { execute } for  pid=3526 comm="NetworkManager" name="udevadm" dev=dm-0 ino=655611 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file

node=xpro.blackperl type=SYSCALL msg=audit(1236659913.44:22): arch=40000003 syscall=11 success=no exit=-13 a0=809eb60 a1=bfd9ec0c a2=bfda0020 a3=809eb60 items=0 ppid=2190 pid=3526 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
what is the output of...

Code:
root@fedora# getsebool -a |grep -i network
-C
 
Old 03-13-2009, 05:48 PM   #12
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 428

Rep: Reputation: 65
Quote:
Originally Posted by prashant.saraf View Post
Thanks unSpawn,
I tried next step,
I have created a test directory into /tmp
then run the
audit2allow -a -l -m netmanager
and get following output and no file is generated.
Code:
module netmanager 1.0;

require {
	type NetworkManager_t;
	type udev_exec_t;
	type xdm_t;
	type root_t;
	class dir create;
	class file execute;
}

#============= NetworkManager_t ==============
allow NetworkManager_t udev_exec_t:file execute;

#============= xdm_t ==============
allow xdm_t root_t:dir create;
What i need to do next. Sorry i am totally new to this.


sorry about that. did not have a redhat/fedora box by me only solaris boxes so i just had to go off of memory. its audit2allow -a -l -M netmanager

the M is the one you want not the lowercase. That should fix the problem
 
Old 03-14-2009, 04:07 AM   #13
prashant.saraf
Member
 
Registered: Mar 2009
Location: Hartford US
Distribution: Ubuntu and Fedora
Posts: 35

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by rweaver View Post
I agree that SELinux is a PITA, however, unless you're an expert admin its better to keep all the security active that you can and in this case the problem is relatively easy to fix.
Hi I am not the expert admin, I am running a desktop system, I am Java Developer, run several servers(tomcat, mysql,php, weblogic, glassfish, jboss). And I just migrated from my Vista to Fedora 10.

Thanks slimm609, I tried
Code:
 audit2allow -a -l -M netmanager
and it worked.

The output of
Code:
root@fedora# getsebool -a |grep -i network
Code:
httpd_can_network_connect --> off
httpd_can_network_connect_db --> off
httpd_can_network_relay --> off
nsplugin_can_network --> on
qemu_full_network --> on
spamassassin_can_network --> off
xguest_connect_network --> on
Thank you every one for helping me.

-Prashant
 
Old 03-14-2009, 04:49 AM   #14
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
I played around with Fedora 10 on my old laptop. When I got an SE Linux alert, I would copy the alert from the popup, and then copy it to a file.
e.g.
cat >netmanager
[PRESS CTRL-V to paste alert to file & press CTRL-D]

Then I would run "audit2allow -M netmanager". This created a netmanager.te and netmanager.pp file (IIRC)

Next I would run "sudo semodule -i netmanager.pp"

This way, I only included the last exception that I knew I triggered myself in the audit2allow command. I hadn't learned how to analyse what the policy audit exceptions meant, so I didn't trust myself to use the entire audit log to generate a policy.
I created a directory to store the policy files so they wouldn't cause clutter.

It was a little frustrating at first because I had to repeat the process several times before I could run flash in Firefox. But after the first couple days, it settled down and it was so long before my next exception that I forgot how to do it! I do wish that they hadn't changed the Fedora web site, because the link embedded in the GUI alert used to take you directly to the instructions for dealing with it. Now you end up at a page with a myriad of options instead.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
"../system.h :selinux/selinux.h:no such file or directory" ashmita04 Linux From Scratch 4 02-05-2009 03:36 AM
gsm connection keeps hanging: blocked by SELinux? Hairyloon Linux - Wireless Networking 1 10-15-2008 12:55 PM
Mod recent blocked related question (netfilter). WHO IS BLOCKED CarLost Linux - Security 6 07-29-2008 03:53 PM
Internet seems to be blocked with latest etch Indiestory Debian 4 07-07-2007 10:46 PM
fetchmail is blocked by SELinux marozsas Fedora 4 05-16-2006 04:07 AM


All times are GMT -5. The time now is 09:33 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration