Bug 1777506
| Summary: | NetworkManager's nm-dispatcher runs with wrong SELinux context | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Thomas Haller <thaller> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.2 | CC: | atragler, bgalvani, lrintel, lvrabec, mmalik, plautrba, rkhan, ssekidde, sukulkar, thaller, zpytela |
| Target Milestone: | rc | Keywords: | Patch, Triaged |
| Target Release: | 8.3 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-04 01:55:53 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Thomas Haller
2019-11-27 16:34:30 UTC
> It should not run with NetworkManager's context.
The real problem is not the context with which nm-dispatcher runs, but the context of the applications that it executes.
Usually, I would try to come up with a patch, but this is beyond my understanding how this is supposed to work.
Reassigning to selinux-policy.
For example, supposed I have the following dispatcher scripts:
```
$ cat /usr/lib/NetworkManager/dispatcher.d/90-nm-cloud-setup.sh
#!/bin/sh
case "$2" in
up|dhcp4-change)
exec systemctl --no-block restart nm-cloud-setup.service
;;
esac
```
then I get:
Nov 28 10:25:31 rh1 audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/nm-cloud-setup.service" cmdline="" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0
exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Nov 28 10:25:31 rh1 nm-dispatcher[3870728]: Failed to restart nm-cloud-setup.service: Access denied
Nov 28 10:25:31 rh1 nm-dispatcher[3870728]: See system logs and 'systemctl status nm-cloud-setup.service' for details.
ah, seems this got fixed upstream: https://github.com/fedora-selinux/selinux-policy-contrib/commit/11a7e057817f2945bd5302370e3dd3f9866a0bd4 Fixes from Fedora:
commit 11a7e057817f2945bd5302370e3dd3f9866a0bd4
Author: Nikola Knazekova <nknazeko>
Date: Fri Nov 22 23:14:46 2019 +0100
Label /usr/lib/NetworkManager/dispatcher as NetworkManager_initrc_exec_t
With NetworkManager 1.20 the dispatcher scripts are moved out of /etc to /usr/lib.
https://src.fedoraproject.org/rpms/dhcp/c/b25b19a69ea76e9d11b188a153b4d7214e36b017?branch=master
Fixed Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1764485
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4528 |