Bug 1505081

Summary: SELinux policy prevents NetworkManager from updating systemd-resolved
Product: [Fedora] Fedora Reporter: Andrew Gunnerson <accounts+fedora>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 27CC: accounts+fedora, dwalsh, lsm5, lvrabec, mgrepl, plautrba, pmoore
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-283.14.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-10-31 15:38:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Andrew Gunnerson 2017-10-21 23:24:49 UTC 
Description of problem:

NetworkManager currently fails to communicate with systemd-resolved over dbus. This prevents the DNS information in systemd-resolved from being properly updated.

Version-Release number of selected component (if applicable):

NetworkManager-1.8.4-4.fc27.x86_64
systemd-234-8.fc27.x86_64
selinux-policy-3.13.1-283.10.fc27.noarch
selinux-policy-targeted-3.13.1-283.10.fc27.noarch

How reproducible:

Always

Steps to Reproduce:
1. Symlink /usr/lib/systemd/resolv.conf to /etc/resolv.conf
2. Restart NetworkManager. It detects the symlink and enables its systemd-resolved functionality.
3. Reconnect to some network.

Actual results:

NetworkManager prints out an SELinux denial to journald and fails to update systemd-resolved.

---
Oct 21 19:06:40 cxl-4270cto NetworkManager[7475]: <warn>  [1508627200.3741] dns-sd-resolved[0x7ff294004610]: Failed: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.126" (uid=0 pid=7475 comm="/usr/sbin/NetworkManager --no-daemon " label="system_u:system_r:NetworkManager_t:s0") interface="org.freedesktop.resolve1.Manager" member="SetLinkDomains" error name="(unset)" requested_reply="0" destination=":1.19" (uid=193 pid=1258 comm="/usr/lib/systemd/systemd-resolved " label="system_u:system_r:systemd_resolved_t:s0")
---

Expected results:

NetworkManager should be able to update systemd-resolved.

Additional info:

Raw denial:
```
type=USER_AVC msg=audit(10/21/2017 19:06:40.373:374) : pid=1039 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.resolve1.Manager member=SetLinkDomains dest=:1.19 spid=7475 tpid=1258 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:systemd_resolved_t:s0 tclass=dbus permissive=0  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?'
```
Comment 1 Fedora Update System 2017-10-25 10:16:36 UTC 
selinux-policy-3.13.1-283.13.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-b5e9ce60d2
Comment 2 Andrew Gunnerson 2017-10-25 22:58:58 UTC 
Thanks for the update! I gave it a try and it seems to be working now.

I'm getting another denial for dbus chat between systemd-resolved and systemd-logind. Not sure if related, but it doesn't impact my original issue at least.

```
type=USER_AVC msg=audit(1508936079.082:2257): pid=1039 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=signal interface=org.freedesktop.login1.Manager member=PrepareForSleep dest=org.freedesktop.DBus spid=1032 tpid=1258 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:systemd_resolved_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
```
Comment 3 Fedora Update System 2017-10-27 18:47:35 UTC 
selinux-policy-3.13.1-283.14.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-b5e9ce60d2
Comment 4 Fedora Update System 2017-10-31 15:38:34 UTC 
selinux-policy-3.13.1-283.14.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.