Bug 1715597
| Summary: | Multiple denials for NetworkManager access to 'nsfs' in Fedora-Rawhide-20190529.n.0 | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Adam Williamson <awilliam> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 31 | CC: | dwalsh, lvrabec, mgrepl, plautrba, zpytela |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | openqa | ||
| Fixed In Version: | selinux-policy-3.14.4-23.fc31 selinux-policy-3.14.4-39.fc31 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-10-29 01:27:50 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
commit 3408b23fc140bfea72d20730b0e0e29d728d580c (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date: Fri May 31 10:30:48 2019 +0200
Allow NetworkManager_t domain to read nsfs_t files BZ(1715597)
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle. Changing version to '31'. This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle. Changing version to 31. FEDORA-2019-7ef1fde499 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-7ef1fde499 selinux-policy-3.14.4-38.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-7ef1fde499 FEDORA-2019-7d65c50fd6 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-7d65c50fd6 selinux-policy-3.14.4-39.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-7d65c50fd6 selinux-policy-3.14.4-39.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report. |
Fedora-Rawhide-20190529.n.0 in openQA testing shows some new SELinux denials after a fresh install and boot. These did not appear in Fedora-Rawhide-20190527.n.0. These are the denials (I booted in permissive mode to check we got *all* the denials): ---- time->Thu May 30 11:15:43 2019 type=AVC msg=audit(1559240143.248:102): avc: denied { read } for pid=854 comm="NetworkManager" dev="nsfs" ino=4026531992 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0 ---- time->Thu May 30 11:16:12 2019 type=AVC msg=audit(1559240172.938:88): avc: denied { read } for pid=825 comm="NetworkManager" dev="nsfs" ino=4026531992 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1 ---- time->Thu May 30 11:16:12 2019 type=AVC msg=audit(1559240172.938:89): avc: denied { open } for pid=825 comm="NetworkManager" path="net:[4026531992]" dev="nsfs" ino=4026531992 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1 The obvious difference between the two composes is the arrival of selinux-policy-3.14.4-19.fc31, the previous compose had 18.fc31. I'm not sure what practical effect this has, it doesn't seem to stop the network working at least.