Description of problem:
When connecting to a VPN that is pushing custom dns servers the nm-dispatcher is unable to invoke the dnssec-trigger so dns servers are pushed to unbound.
Version-Release number of selected component (if applicable):
dnssec-trigger-0.13-0.4.20150714svn.fc24.x86_64
How reproducible:
Connect to a openvpn that pushes custom dns servers
Actual results:
openvpn is connected but not resolving through dns from vpn.
Expected results:
DNS servers of vpn are used after connecting to vpn
Additional info:
It is blocked by SELinux as the logs suggest:
Jun 25 14:18:11 foo NetworkManager[29471]: <info> [1466857091.9797] device (tun0): Activation: successful, device activated.
Jun 25 14:18:11 foo nm-dispatcher[23628]: req:4 'up' [tun0]: new request (9 scripts)
Jun 25 14:18:12 foo audit[29216]: USER_AVC pid=29216 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=org.freedesktop.NetworkManager spid=23642 tpid=29471 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=dbus
exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Jun 25 14:18:12 foo nm-dispatcher[23628]: NetworkManager is not running.
Jun 25 14:18:12 foo nm-dispatcher[23628]: req:2 'vpn-up' [tun0], "/etc/NetworkManager/dispatcher.d/01-dnssec-trigger": complete: failed with Script '/etc/NetworkManager/dispatcher.d/01-dnssec-trigger' exited with error status 1.
connecting with SELinux in permissive mode works as expected.
Obviously dnssec-trigger script must be able to communicate with NM. And since the NM Python bindings use DBus, this must be allowed as well. Moving to SELinux-policy
Comment 2Fedora Update System
2016-07-12 03:58:01 UTC
Comment 3Fedora Update System
2016-07-18 18:22:49 UTC
selinux-policy-3.13.1-191.5.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Description of problem: When connecting to a VPN that is pushing custom dns servers the nm-dispatcher is unable to invoke the dnssec-trigger so dns servers are pushed to unbound. Version-Release number of selected component (if applicable): dnssec-trigger-0.13-0.4.20150714svn.fc24.x86_64 How reproducible: Connect to a openvpn that pushes custom dns servers Actual results: openvpn is connected but not resolving through dns from vpn. Expected results: DNS servers of vpn are used after connecting to vpn Additional info: It is blocked by SELinux as the logs suggest: Jun 25 14:18:11 foo NetworkManager[29471]: <info> [1466857091.9797] device (tun0): Activation: successful, device activated. Jun 25 14:18:11 foo nm-dispatcher[23628]: req:4 'up' [tun0]: new request (9 scripts) Jun 25 14:18:12 foo audit[29216]: USER_AVC pid=29216 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=org.freedesktop.NetworkManager spid=23642 tpid=29471 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Jun 25 14:18:12 foo nm-dispatcher[23628]: NetworkManager is not running. Jun 25 14:18:12 foo nm-dispatcher[23628]: req:2 'vpn-up' [tun0], "/etc/NetworkManager/dispatcher.d/01-dnssec-trigger": complete: failed with Script '/etc/NetworkManager/dispatcher.d/01-dnssec-trigger' exited with error status 1. connecting with SELinux in permissive mode works as expected.