Bug 1818528

Summary: SELinux is preventing systemctl from 'getattr' accesses on the file /usr/lib/systemd/system/dhcpd6.service.
Product: [Fedora] Fedora Reporter: saw-bgzlrhat <saw-bgzlrhat>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 31CC: dwalsh, grepl.miroslav, lvrabec, plautrba, vmojzis, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:20fb36b6d099ea5cf78036bc5735abd16bab6f956a383caa09c18b722645f954;VARIANT_ID=workstation;
Fixed In Version: selinux-policy-3.14.4-52.fc31 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-06-05 02:40:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description saw-bgzlrhat@sawoct.com 2020-03-28 22:58:24 UTC 
Description of problem:
NetworkManager is unable to restart dhcpd -- denied by SELinux.
Occurs on every interface up event.
Both dhcpd and dhcpd6 services are affected.

The issue started right after upgrading the system to Fedora 31 and occurs on 100% of interface events.
SELinux is preventing systemctl from 'getattr' accesses on the file /usr/lib/systemd/system/dhcpd6.service.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemctl should be allowed getattr access on the dhcpd6.service file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemctl' --raw | audit2allow -M my-systemctl
# semodule -X 300 -i my-systemctl.pp

Additional Information:
Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:dhcpd_unit_file_t:s0
Target Objects                /usr/lib/systemd/system/dhcpd6.service [ file ]
Source                        systemctl
Source Path                   systemctl
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           dhcp-server-4.4.1-19.fc31.x86_64
SELinux Policy RPM            selinux-policy-3.14.4-49.fc31.noarch
Local Policy RPM              selinux-policy-targeted-3.14.4-49.fc31.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.5.10-200.fc31.x86_64 #1 SMP Wed
                              Mar 18 14:21:38 UTC 2020 x86_64 x86_64
Alert Count                   38
First Seen                    2020-03-25 10:37:27 MSK
Last Seen                     2020-03-29 01:21:08 MSK
Local ID                      3043c747-89ca-4d85-ba87-05b93f44bb68

Raw Audit Messages
type=AVC msg=audit(1585434068.11:293): avc:  denied  { getattr } for  pid=2821 comm="systemctl" path="/usr/lib/systemd/system/dhcpd6.service" dev="dm-0" ino=2350180 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:dhcpd_unit_file_t:s0 tclass=file permissive=0


Hash: systemctl,NetworkManager_t,dhcpd_unit_file_t,file,getattr

Version-Release number of selected component:
selinux-policy-3.14.4-49.fc31.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.12.0
hashmarkername: setroubleshoot
kernel:         5.5.10-200.fc31.x86_64
type:           libreport
Comment 1 Zdenek Pytela 2020-03-30 07:13:33 UTC 
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy-contrib/pull/228
Comment 2 Lukas Vrabec 2020-03-30 07:50:41 UTC 
commit d5da0422ebc96d5acbe912aa8d5c3bc8a1ace015 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Zdenek Pytela <zpytela>
Date:   Mon Mar 30 08:39:24 2020 +0200

    Allow NetworkManager manage dhcpd unit files
    
    Resolves: rhbz#1818528
Comment 3 Fedora Update System 2020-05-20 13:47:38 UTC 
FEDORA-2020-6d33cc238c has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-6d33cc238c
Comment 4 Fedora Update System 2020-05-21 04:16:17 UTC 
FEDORA-2020-6d33cc238c has been pushed to the Fedora 31 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-6d33cc238c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-6d33cc238c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 5 Fedora Update System 2020-06-05 02:40:01 UTC 
FEDORA-2020-6d33cc238c has been pushed to the Fedora 31 stable repository.
If problem still persists, please make note of it in this bug report.