Bug 1227406

Summary: libnm-glib-WARNING **: (nm-object.c:159):constructor: code should not be reached
Product: [Fedora] Fedora Reporter: Tomáš Hozza <thozza>
Component: dnssec-triggerAssignee: Paul Wouters <pwouters>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 22CC: dcbw, jklimes, pj.pandit, psimerda, pspacek, pwouters, thozza
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-06-09 15:32:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1182488    
Attachments:
Description Flags
SELinux AVC messages for running dnssec-triggerd systemd unit none

Description Tomáš Hozza 2015-06-02 15:26:08 UTC 
Description of problem:
When using dnssec-trigger with NetworkManager on Fedora 22 Workstation, the following warnings appear in the journal. dnssec-trigger uses a NM dispatcher script to get notifications on network configuration change. The dnssec-trigger-script is then run, which is using libnm-glib Python bindings.

Version-Release number of selected component (if applicable):
NetworkManager-1.0.2-1.fc22.x86_64
dnssec-trigger-0.12-20.fc22.x86_64

How reproducible:
always

Steps to Reproduce:
1. just boot system with dnssec-trigger enabled
OR
1. restart dnssec-triggerd

Actual results:
[root@localhost ~]# journalctl -u dnssec-triggerd -b
-- Logs begin at Tue 2015-06-02 11:37:15 CEST, end at Tue 2015-06-02 17:17:41 CEST. --
Jun 02 16:24:33 localhost.localdomain systemd[1]: Starting Reconfigure local DNSSEC resolver on connectivity changes...
Jun 02 16:24:34 localhost.localdomain dnssec-trigger-script[1056]: (process:1056): libnm-glib-WARNING **: (nm-object.c:159):constructor: code should not be reached
Jun 02 16:24:34 localhost.localdomain dnssec-triggerd[1154]: [1154] info: dnssec-trigger 0.12 start
Jun 02 16:24:35 localhost.localdomain dnssec-trigger-script[1157]: (process:1157): libnm-glib-WARNING **: (nm-object.c:159):constructor: code should not be reached
Jun 02 16:24:35 localhost.localdomain dnssec-triggerd[1154]: (process:1161): libnm-glib-WARNING **: (nm-object.c:159):constructor: code should not be reached
Jun 02 16:24:35 localhost.localdomain systemd[1]: Started Reconfigure local DNSSEC resolver on connectivity changes.

Expected results:
No warnings from libnm-glib

Additional info:
Maybe related to bug #1202197
Comment 1 Pavel Šimerda (pavlix) 2015-06-05 11:20:54 UTC 
Looks like a regression in NetworkManager's library, as this used to work.
Comment 2 Jirka Klimes 2015-06-09 13:28:52 UTC 
I was debugging it a bit and found out that running dnssec-trigger-script from the command line works fine.
However, when dnssec-triggerd systemd unit is run (which executes dnssec-trigger-script), the error appears. In the end, it showed up that the problem was caused by SELinux. The script runs fine out of systemd unit with 'getenforce 0'.

The issue seems to be that access is denied for D-BUS system bus:
type=AVC msg=audit(1433820820.962:7636): avc:  denied  { write } for  pid=18620 comm="dnssec-trigger-" name="system_bus_socket" dev="tmpfs" ino=25341 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=0

However, there are a few more AVCs too. I will include them as an attachment.
Comment 3 Jirka Klimes 2015-06-09 13:30:50 UTC 
Created attachment 1036809 [details]
SELinux AVC messages for running dnssec-triggerd systemd unit
Comment 4 Tomáš Hozza 2015-06-09 15:32:51 UTC 

*** This bug has been marked as a duplicate of bug 1227239 ***