Bug 1226543

Summary: SELinux AVCs with systemd-networkd
Product: [Fedora] Fedora Reporter: Anthony Messina <amessina>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-128.1.fc22 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-06-11 18:38:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Anthony Messina 2015-05-30 13:19:47 UTC 
I'd like to run systemd-networkd in Fedora 22, but I get the following errors, despite the issue being marked as resolved in Bug #1153340.

The network seems to work, and the AVCs below report "permissive=1" even when I have SELinux enforcing.

selinux-policy-targeted-3.13.1-126.fc22.noarch
systemd-219-15.fc22.x86_64

## 10-enp3s7.network 
[Match]
Name=enp3s7
[Network]
DHCP=yes

## journald output
Enumeration completed
IPv6: ADDRCONF(NETDEV_UP): enp3s7: link is not ready
Started Network Service.
<audit-1130> pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-networkd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
e1000: enp3s7 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
IPv6: ADDRCONF(NETDEV_CHANGE): enp3s7: link becomes ready
enp3s7          : gained carrier
<audit-1400> avc:  denied  { create } for  pid=739 comm="systemd-network" scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:system_r:systemd_networkd_t:s0 tclass=rawip_socket permissive=1
<audit-1400> avc:  denied  { setopt } for  pid=739 comm="systemd-network" lport=58 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:system_r:systemd_networkd_t:s0 tclass=rawip_socket permissive=1
<audit-1400> avc:  denied  { name_bind } for  pid=739 comm="systemd-network" src=68 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:dhcpc_port_t:s0 tclass=udp_socket permissive=1
<audit-1400> avc:  denied  { node_bind } for  pid=739 comm="systemd-network" saddr=10.77.79.89 src=68 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket permissive=1
<audit-1400> avc:  denied  { net_bind_service } for  pid=739 comm="systemd-network" capability=10  scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:system_r:systemd_networkd_t:s0 tclass=capability permissive=1
[system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service'
enp3s7          : DHCPv4 address 10.77.79.89/24 via 10.77.79.1
enp3s7          : link configured
Starting Hostname Service...
<audit-1325> table=filter family=2 entries=0
[system] Successfully activated service 'org.freedesktop.hostname1'
<audit-1107> pid=735 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.hostname1 member=SetHostname dest=org.freed
 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
[system] Activating via systemd: service name='org.freedesktop.PolicyKit1' unit='polkit.service'
Started Hostname Service.
<audit-1130> pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
<audit-1400> avc:  denied  { getattr } for  pid=739 comm="systemd-network" path="socket:[18691]" dev="sockfs" ino=18691 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:system_r:systemd_networkd_t:s0 tclass=rawip_socket
<audit-1400> avc:  denied  { name_bind } for  pid=739 comm="systemd-network" src=546 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:dhcpc_port_t:s0 tclass=udp_socket permissive=1
<audit-1400> avc:  denied  { node_bind } for  pid=739 comm="systemd-network" src=546 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket permissive=1
<audit-1400> avc:  denied  { net_bind_service } for  pid=739 comm="systemd-network" capability=10  scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:system_r:systemd_networkd_t:s0 tclass=capability permissive=1
Comment 1 Miroslav Grepl 2015-06-01 13:14:40 UTC 
commit 425f02dc6f2b3887f44a074426d2d7543ad5085d
Author: Miroslav Grepl <mgrepl>
Date:   Mon Jun 1 15:13:41 2015 +0200

    Allow systemd-networkd to bind dhcpc ports if DHCP=yes in *.network conf file. BZ(1226543)
Comment 2 Fedora Update System 2015-06-09 14:39:45 UTC 
selinux-policy-3.13.1-128.1.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-128.1.fc22
Comment 3 Fedora Update System 2015-06-10 19:11:31 UTC 
Package selinux-policy-3.13.1-128.1.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-128.1.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-9714/selinux-policy-3.13.1-128.1.fc22
then log in and leave karma (feedback).
Comment 4 Fedora Update System 2015-06-11 18:38:22 UTC 
selinux-policy-3.13.1-128.1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.