Bug 1370872

Summary: SELinux is preventing NetworkManager from 'unlink' accesses on the file /etc/resolv.conf.
Product: [Fedora] Fedora Reporter: Melvin Jones <melvinj>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: high    
Version: 24CC: dominick.grift, dwalsh, lvrabec, melvinj, mgrepl, plautrba
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:77261c568d4cfcbf07123b7b7e390e3dff8311e7b19383353fadd043dc635488;VARIANT_ID=workstation;
Fixed In Version: selinux-policy-3.13.1-191.20.fc24 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-10 03:29:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Melvin Jones 2016-08-27 17:04:05 UTC
Description of problem:
I am using ShrewSoft VPN Client on Fedora 24 and whenever I connect to my remote site I get this SELinux alert.

It appears that the changes to the nameservers are made to the /etc/resolv.conf file but it seems that NetworkManager is trying an unlink on the file and I'm not sure why.  The connection works as expected, so there isn't a problem, but I'm just confused by the alert.  I'm not sure why NetworkManager needs unlink access or even if it should have that access.
SELinux is preventing NetworkManager from 'unlink' accesses on the file /etc/resolv.conf.

*****  Plugin restorecon (94.8 confidence) suggests   ************************

If you want to fix the label. 
/etc/resolv.conf default label should be net_conf_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /etc/resolv.conf

*****  Plugin catchall_labels (5.21 confidence) suggests   *******************

If you want to allow NetworkManager to have unlink access on the resolv.conf file
Then you need to change the label on /etc/resolv.conf
Do
# semanage fcontext -a -t FILE_TYPE '/etc/resolv.conf'
where FILE_TYPE is one of the following: NetworkManager_etc_rw_t, NetworkManager_tmp_t, NetworkManager_var_lib_t, NetworkManager_var_run_t, dhcpc_state_t, dhcpc_var_run_t, dnsmasq_var_run_t, hostname_etc_t, named_cache_t, net_conf_t, pppd_var_run_t, systemd_passwd_var_run_t.
Then execute:
restorecon -v '/etc/resolv.conf'


*****  Plugin catchall (1.44 confidence) suggests   **************************

If you believe that NetworkManager should be allowed unlink access on the resolv.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'NetworkManager' --raw | audit2allow -M my-NetworkManager
# semodule -X 300 -i my-NetworkManager.pp

Additional Information:
Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:etc_t:s0
Target Objects                /etc/resolv.conf [ file ]
Source                        NetworkManager
Source Path                   NetworkManager
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-191.13.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.6.7-300.fc24.x86_64 #1 SMP Wed
                              Aug 17 18:48:43 UTC 2016 x86_64 x86_64
Alert Count                   12
First Seen                    2016-08-16 15:44:29 EDT
Last Seen                     2016-08-27 12:56:33 EDT
Local ID                      fa271e6a-1973-48a0-b404-d694219ce7e0

Raw Audit Messages
type=AVC msg=audit(1472316993.835:274): avc:  denied  { unlink } for  pid=1040 comm="NetworkManager" name="resolv.conf" dev="sda7" ino=130836 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0


Hash: NetworkManager,NetworkManager_t,etc_t,file,unlink

Version-Release number of selected component:
selinux-policy-3.13.1-191.13.fc24.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.6.7-300.fc24.x86_64
type:           libreport

Potential duplicate: bug 876757

Comment 1 Daniel Walsh 2016-08-29 10:09:44 UTC
Network Manager manages the /etc/resolv.conf file, so it renames content over the file.  The weird thing is that ShrewSoft VPN Client on Fedora 24 is mislabeling the file when it creates it.  Most likely it is creating a temporary file in /etc and then renaming it over /etc/resolv.conf.

If you could figure out the file name that the tool is creating, then we might be able to setup a file trans fule for this creation.  Or if you could modify the code to run a restorecon after it creates the file, or you could try to use restorecond to watch for new file creations and then fix the label.

Comment 2 Lukas Vrabec 2016-08-30 12:20:32 UTC
Dan is right. Could you provide info?

Comment 3 Melvin Jones 2016-08-30 12:41:47 UTC
Thanks for the follow up.

I looked into it and this is what is happening.  When I am not connected using ShrewSoft the /etc/resolv.conf file is a symlink that points to /var/run/NetworkManager/resolv.conf, which has the proper type of net_conf_t.

Whenever I connect with Shrewsoft, it removes the symlink and adds it's own version of /etc/resolv.conf with has a type of etc_t.

I am not sure what happens at this point, but it appears NetworkManager tries to remove the file so it can recreate the symlink or something?

Like I said before, it still works fine besides the alert that comes up.

Comment 4 Lukas Vrabec 2016-08-30 13:05:27 UTC
Melvin,
Could you connect using ShrewSoft and then attach output of:

# ps -efZ | grep ShrewSoft

Thanks.

Comment 5 Melvin Jones 2016-08-30 14:26:10 UTC
[melvin@MyComputer ~]$ ps -efZ | grep ike

system_u:system_r:unconfined_service_t:s0 root 19988 1  0 08:37 ?      00:00:00 /usr/sbin/iked -f /etc/iked.conf

unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 melvin 21044 1  0 10:21 pts/1 00:00:00 /usr/bin/qikea

unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 melvin 21048 21044  1 10:21 pts/1 00:00:00 qikec -r MySite

iked is the daemon that runs in the background, qikea is the GUI which holds all of the connections and qikec runs whenever you actually create a connection and put in your username/password.

Comment 6 Daniel Walsh 2016-08-30 20:22:38 UTC
https://github.com/fedora-selinux/selinux-policy/pull/152

Might fix the problem.

Comment 7 Fedora Update System 2016-11-04 12:11:36 UTC
selinux-policy-3.13.1-191.20.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-7ce27629b3

Comment 8 Fedora Update System 2016-11-05 03:36:21 UTC
selinux-policy-3.13.1-191.20.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-7ce27629b3

Comment 9 Fedora Update System 2016-11-10 03:29:49 UTC
selinux-policy-3.13.1-191.20.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.