Bug 1234954

Summary: Update SELinux policy for NetworkManager to allow send_msg for hostnamed
Product: Red Hat Enterprise Linux 7 Reporter: Jirka Klimes <jklimes>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 7.2CC: bgalvani, jklimes, lrintel, lvrabec, mcepl, mgrepl, mmalik, plautrba, pvrabec, rkhan, ssekidde, thaller
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-34.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 10:38:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jirka Klimes 2015-06-23 14:58:21 UTC 
time->Tue Jun 23 06:47:34 2015
type=USER_AVC msg=audit(1435056454.705:1658): pid=603 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=:1.132 spid=10769 tpid=10786 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
time->Tue Jun 23 06:47:33 2015
type=SYSCALL msg=audit(1435056453.947:1655): arch=c000003e syscall=21 success=no exit=-13 a0=7fefd9508e4b a1=2 a2=28 a3=3 items=0 ppid=1 pid=10769 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(1435056453.947:1655): avc:  denied  { write } for  pid=10769 comm="NetworkManager" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir

NetworkManager now supports handling hostname via hostnamed. Please allow accessing hostnamed via D-Bus (first AVC).
Related commit:
http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=6dc35e66d45e490482ac2909385099d77c26ed93

I am not sure what exactly the second AVC means, but I guess it should be allowed too.
Comment 2 Milos Malik 2015-06-23 15:12:00 UTC 
What SELinux denials do you see in permissive mode?

# ausearch -m avc -m user_avc -m selinux_err -i -ts today
Comment 3 Jirka Klimes 2015-06-24 06:51:05 UTC 
(In reply to Milos Malik from comment #2)
> What SELinux denials do you see in permissive mode?
> 
> # ausearch -m avc -m user_avc -m selinux_err -i -ts today

# getenforce 
Permissive
# ausearch -m avc -m user_avc -m selinux_err -i -ts today
----
type=USER_AVC msg=audit(06/24/2015 02:44:09.349:837) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(06/24/2015 02:44:56.559:853) : pid=599 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=:1.392 spid=21872 tpid=21878 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=dbus  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(06/24/2015 02:44:56.560:854) : pid=599 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.391 spid=21878 tpid=21872 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=dbus  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=SYSCALL msg=audit(06/24/2015 02:44:56.331:852) : arch=x86_64 syscall=access success=yes exit=0 a0=0x7f3c50264e4b a1=W_OK a2=0x28 a3=0x3 items=0 ppid=1 pid=21872 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null) 
type=AVC msg=audit(06/24/2015 02:44:56.331:852) : avc:  denied  { write } for  pid=21872 comm=NetworkManager name=/ dev="sysfs" ino=1 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir

# rpm -q selinux-policy
selinux-policy-3.13.1-27.el7.noarch

That's RHEL-7.2-20150618.n.0 with NetworkManager from upstream master.
Comment 5 Jirka Klimes 2015-07-08 07:02:31 UTC 
I can confirm that the second denial - writing to sysfs is fixed with selinux-policy-3.13.1-30.el7.noarch, selinux-policy-targeted-3.13.1-30.el7.noarch.

But I can still see the issue with calling hostnamed.
# ausearch -m avc -m user_avc -m selinux_err -i -ts today
----
type=USER_AVC msg=audit(07/08/2015 02:59:50.127:384) : pid=595 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=:1.98 spid=9494 tpid=9080 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=dbus  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?'
Comment 6 Jirka Klimes 2015-07-08 08:31:44 UTC 
(In reply to Jirka Klimes from comment #0)
> NetworkManager now supports handling hostname via hostnamed. Please allow
> accessing hostnamed via D-Bus (first AVC).
> Related commit:
> http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/
> ?id=6dc35e66d45e490482ac2909385099d77c26ed93
> 

(In reply to Jirka Klimes from comment #5)
> I can confirm that the second denial - writing to sysfs is fixed with
> selinux-policy-3.13.1-30.el7.noarch,
> selinux-policy-targeted-3.13.1-30.el7.noarch.
> 
> But I can still see the issue with calling hostnamed.
> # ausearch -m avc -m user_avc -m selinux_err -i -ts today
> ----
> type=USER_AVC msg=audit(07/08/2015 02:59:50.127:384) : pid=595 uid=dbus
> auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> msg='avc:  denied  { send_msg } for msgtype=method_call
> interface=org.freedesktop.DBus.Properties member=GetAll dest=:1.98 spid=9494
> tpid=9080 scontext=system_u:system_r:NetworkManager_t:s0
> tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=dbus 
> exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?'

I should have added that this is with NetworkManager from master on top of RHEL 7.2 (the feature is not in RHEL 7.2 yet).
Comment 7 Lukas Vrabec 2015-07-18 21:04:18 UTC 
commit bd7ce7f96eb18346f3490c205528625e23868798
Author: Lukas Vrabec <lvrabec>
Date:   Sat Jul 18 22:58:58 2015 +0200

    Allow networkmanager to  communicate via dbus with systemd_hostanmed.
    Resolves: #1234954
Comment 11 errata-xmlrpc 2015-11-19 10:38:06 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html