Bug 1787162
Summary: | SELinux is preventing 11-dhclient from 'getattr' accesses on the file /usr/sbin/setfiles. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | cody6730 |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | urgent | ||
Version: | 31 | CC: | awilliam, bgalvani, dcbw, dwalsh, fgiudici, gnome-sig, grepl.miroslav, john.j5live, lkundrak, lslebodn, lvrabec, mclasen, mgrepl, MikeDawg, mwolf, omosnace, peterg, plautrba, rhughes, rstrode, sandmann, thaller, thorwaldson, vmojzis, zpytela |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:16e78f41074e8f0bdd376bbb5138406c6e9fcd6537097d6f8aac948cc740d9d5;VARIANT_ID=workstation; | ||
Fixed In Version: | selinux-policy-3.14.4-46.fc31 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-02-07 01:51:06 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
cody6730
2019-12-31 16:54:40 UTC
*** Bug 1788213 has been marked as a duplicate of this bug. *** Hi All, Is there a possibility that NetworkManager executes restorecon somewhere? Thanks, Lukas. Similar problem has been detected: Seems to happen whenever NetworkManager establishes a new connection. hashmarkername: setroubleshoot kernel: 5.3.16-300.fc31.x86_64 package: selinux-policy-3.14.4-43.fc31.noarch reason: SELinux is preventing 11-dhclient from 'getattr' accesses on the file /usr/sbin/setfiles. type: libreport > Is there a possibility that NetworkManager executes restorecon somewhere?
I don't understand this question.
/usr/lib/NetworkManager/dispatcher.d/11-dhclient is provided by dhcp-client package.
It's a shell script that sources further files from /etc/dhcp/dhclient.d.
NetworkManager has little to do with this script, aside that it gets executed by /usr/libexec/nm-dispatcher (which is `NetworkManager-dispatcher.service` service). Yes, among other that happens "whenever NetworkManager establishes a new connection".
what other files are in /etc/dhcp/dhclient.d ?
Similar problem has been detected: Brought laptop out of suspend (by opening the lid); the alert popped up after 10 or 20 seconds. hashmarkername: setroubleshoot kernel: 5.4.8-200.fc31.x86_64 package: selinux-policy-3.14.4-43.fc31.noarch reason: SELinux is preventing 11-dhclient from 'getattr' accesses on the file /usr/sbin/setfiles. type: libreport Similar problem has been detected: I opened the laptop lid and entered my password; the error came up 10-20 seconds later. hashmarkername: setroubleshoot kernel: 5.4.8-200.fc31.x86_64 package: selinux-policy-3.14.4-43.fc31.noarch reason: SELinux is preventing 11-dhclient from 'getattr' accesses on the file /usr/sbin/setfiles. type: libreport Raw Audit Messages type=AVC msg=audit(1580569557.278:333): avc: denied { getattr } for pid=62556 comm="11-dhclient" path="/usr/sbin/setfiles" dev="dm-0" ino=25176563 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1580569557.278:333): arch=x86_64 syscall=stat success=no exit=EACCES a0=561cbff9da10 a1=7ffe9a2b1d40 a2=7ffe9a2b1d40 a3=561cbff9eaa0 items=1 ppid=62514 pid=62556 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=11-dhclient exe=/usr/bin/bash subj=system_u:system_r:NetworkManager_t:s0 key=(null) type=CWD msg=audit(1580569557.278:333): cwd=/ type=PATH msg=audit(1580569557.278:333): item=0 name=/sbin/restorecon inode=25176563 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:setfiles_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 Hash: 11-dhclient,NetworkManager_t,setfiles_exec_t,file,getattr (In reply to Thomas Haller from comment #4) > > Is there a possibility that NetworkManager executes restorecon somewhere? > > I don't understand this question. > > > /usr/lib/NetworkManager/dispatcher.d/11-dhclient is provided by dhcp-client > package. > It's a shell script that sources further files from /etc/dhcp/dhclient.d. > > > NetworkManager has little to do with this script, aside that it gets > executed by /usr/libexec/nm-dispatcher (which is > `NetworkManager-dispatcher.service` service). Yes, among other that happens > "whenever NetworkManager establishes a new connection". > > > what other files are in /etc/dhcp/dhclient.d ? sh-5.0# ls -la /etc/dhcp/dhclient.d total 12 drwxr-xr-x. 2 root root 51 Feb 1 10:34 . drwxr-x---. 3 root root 24 Feb 1 09:47 .. -rwxr-xr-x. 1 root root 421 Jul 24 2019 chrony.sh -rwxr-xr-x. 1 root root 3054 Jul 30 2019 nis.sh -rwxr-xr-x. 1 root root 2231 Jul 26 2019 ntp.sh sh-5.0# grep restorecon /etc/dhcp/dhclient.d/* /etc/dhcp/dhclient.d/nis.sh: if [ -x /sbin/restorecon ]; then /etc/dhcp/dhclient.d/nis.sh: /sbin/restorecon ${1} >/dev/null 2>&1 /etc/dhcp/dhclient.d/nis.sh: # Do not rely on restorecon. /etc/dhcp/dhclient.d/nis.sh: # Try restorecon /etc/dhcp/dhclient.d/ntp.sh: restorecon ${CONF} >/dev/null 2>&1 sh-5.0# head -n 35 /etc/dhcp/dhclient.d/ntp.sh | tail -n 15 # Author(s): David Cantrell <dcantrell> # Miroslav Lichvar <mlichvar> # CONF=/etc/ntp.conf SAVECONF=${SAVEDIR}/${CONF##*/}.predhclient.${interface} ntp_replace_conf() { echo "$1" | diff -q ${CONF} - > /dev/null 2>&1 if [ $? -eq 1 ]; then echo "$1" > ${CONF} restorecon ${CONF} >/dev/null 2>&1 systemctl try-restart ntpd.service > /dev/null 2>&1 || service ntpd condrestart > /dev/null 2>&1 fi sh-5.0# ls -l /usr/sbin/restorecon lrwxrwxrwx. 1 root root 8 Aug 29 04:22 /usr/sbin/restorecon -> setfiles sh-5.0# rpm -qf /etc/dhcp/dhclient.d/nis.sh /etc/dhcp/dhclient.d/ntp.sh ypbind-2.6.1-1.fc31.x86_64 ntp-4.2.8p13-3.fc31.x86_64 Thank you Lukas for help investigate the issue. A PR has been created to address the issue: https://github.com/fedora-selinux/selinux-policy-contrib/pull/198 PR commented. commit a7d5d94a79a04575e3fb069e9efd60e74a3fa378 (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Zdenek Pytela <zpytela> Date: Tue Feb 4 16:03:06 2020 +0100 Allow networkmanager_t transition to setfiles_t Resolves: rhbz#1787162 FEDORA-2020-4824687c8c has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-4824687c8c selinux-policy-3.14.4-46.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-4824687c8c selinux-policy-3.14.4-46.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report. *** Bug 1775549 has been marked as a duplicate of this bug. *** |