Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1146859
| Summary: | SELinux is preventing /usr/libexec/nm-openconnect-service from 'ioctl' accesses on the chr_file /dev/net/tun. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jared Smith <jsmith.fedora> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 21 | CC: | crobinso, dominick.grift, dwalsh, lvrabec, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:ab2d3cea92bcab31be26a9b0f95fe3e369c9e2a925b6eb26816429d6db4f2c07 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-10-07 15:41:32 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
*** This bug has been marked as a duplicate of bug 1147057 *** |
Description of problem: Trying to connect to an openconnect-compatible VPN SELinux is preventing /usr/libexec/nm-openconnect-service from 'ioctl' accesses on the chr_file /dev/net/tun. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that nm-openconnect-service should be allowed ioctl access on the tun chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep nm-openconnect- /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:NetworkManager_t:s0 Target Context system_u:object_r:svirt_image_t:s0:c209,c483 Target Objects /dev/net/tun [ chr_file ] Source nm-openconnect- Source Path /usr/libexec/nm-openconnect-service Port <Unknown> Host (removed) Source RPM Packages NetworkManager-openconnect-0.9.8.4-4.fc21.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-79.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.16.1-301.fc21.x86_64 #1 SMP Mon Aug 25 13:06:39 UTC 2014 x86_64 x86_64 Alert Count 2 First Seen 2014-09-19 15:58:31 CEST Last Seen 2014-09-19 15:58:32 CEST Local ID 74ccd1e3-303b-43a4-aad9-b8d046e9bedf Raw Audit Messages type=AVC msg=audit(1411135112.254:8805): avc: denied { ioctl } for pid=21584 comm="nm-openconnect-" path="/dev/net/tun" dev="devtmpfs" ino=10303 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c209,c483 tclass=chr_file permissive=1 type=SYSCALL msg=audit(1411135112.254:8805): arch=x86_64 syscall=ioctl success=yes exit=0 a0=6 a1=400454ca a2=7fff4cd4a5b0 a3=7fff4cd4a5b0 items=0 ppid=1 pid=21584 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=nm-openconnect- exe=/usr/libexec/nm-openconnect-service subj=system_u:system_r:NetworkManager_t:s0 key=(null) Hash: nm-openconnect-,NetworkManager_t,svirt_image_t,chr_file,ioctl Version-Release number of selected component: selinux-policy-3.13.1-79.fc21.noarch Additional info: reporter: libreport-2.2.3 hashmarkername: setroubleshoot kernel: 3.16.3-300.fc21.x86_64 type: libreport