Bug 1896796
Summary: | SELinux is preventing /usr/lib/systemd/systemd-resolved from create access on the lnk_file /run/systemd/resolve/.#stub-resolv.conf04abd1548d5fbff1 | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Martin <mfs> |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 33 | CC: | dustymabe, dwalsh, gorkodashvili1, grepl.miroslav, hermit_mile_0e, lvrabec, mfs, mmalik, omosnace, plautrba, vmojzis, zpytela |
Target Milestone: | --- | Keywords: | Reopened, Triaged |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.14.6-31.fc33 selinux-policy-3.14.6-33.fc33 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-12-17 01:24:45 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Martin
2020-11-11 14:57:24 UTC
I'm hitting this too, but you don't need to manually create the symlink yourself (systemd will handle that for you if not for this selinux bug). Starting from a pristine rawhide system (Fedora-Cloud-Base-Vagrant-Rawhide-20201205.n.0.x86_64.vagrant-libvirt.box): ``` [vagrant@vanilla-rawhide ~]$ ls -l /etc/resolv.conf lrwxrwxrwx. 1 root root 39 Dec 5 09:40 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf [vagrant@vanilla-rawhide ~]$ ls -lZ /var/run/systemd/resolve/ total 8 srw-rw-rw-. 1 systemd-resolve systemd-resolve system_u:object_r:systemd_resolved_var_run_t:s0 0 Dec 7 21:35 io.systemd.Resolve drwx------. 2 systemd-resolve systemd-resolve system_u:object_r:systemd_resolved_var_run_t:s0 60 Dec 7 21:36 netif -rw-r--r--. 1 systemd-resolve systemd-resolve system_u:object_r:net_conf_t:s0 611 Dec 7 21:36 resolv.conf -rw-r--r--. 1 systemd-resolve systemd-resolve system_u:object_r:net_conf_t:s0 738 Dec 7 21:36 stub-resolv.conf [vagrant@vanilla-rawhide ~]$ sudo mkdir /etc/systemd/resolved.conf.d [vagrant@vanilla-rawhide ~]$ echo -e '[Resolve]\nDNSStubListener=no' | sudo tee /etc/systemd/resolved.conf.d/no-stub.conf [Resolve] DNSStubListener=no [vagrant@vanilla-rawhide ~]$ sudo systemctl restart systemd-resolved [vagrant@vanilla-rawhide ~]$ [vagrant@vanilla-rawhide ~]$ sudo systemctl status systemd-resolved ● systemd-resolved.service - Network Name Resolution Loaded: loaded (/usr/lib/systemd/system/systemd-resolved.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2020-12-07 21:37:04 UTC; 11s ago Docs: man:systemd-resolved.service(8) man:org.freedesktop.resolve1(5) https://www.freedesktop.org/wiki/Software/systemd/writing-network-configuration-managers https://www.freedesktop.org/wiki/Software/systemd/writing-resolver-clients Main PID: 3509 (systemd-resolve) Status: "Processing requests..." Tasks: 1 (limit: 4640) Memory: 8.8M CPU: 122ms CGroup: /system.slice/systemd-resolved.service └─3509 /usr/lib/systemd/systemd-resolved Dec 07 21:37:04 vanilla-rawhide systemd[1]: Starting Network Name Resolution... Dec 07 21:37:04 vanilla-rawhide systemd-resolved[3509]: Positive Trust Anchors: Dec 07 21:37:04 vanilla-rawhide systemd-resolved[3509]: . IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d Dec 07 21:37:04 vanilla-rawhide systemd-resolved[3509]: Negative trust anchors: 10.in-addr.arpa 16.172.in-addr.arpa 17.172.in-addr.arpa 18.172.in-addr.arpa 19.172.in-addr.arpa 20.172.in-addr.arpa 21.172.in-addr.arpa 22.172.in-addr.arpa > Dec 07 21:37:04 vanilla-rawhide systemd-resolved[3509]: Using system hostname 'vanilla-rawhide'. Dec 07 21:37:04 vanilla-rawhide systemd-resolved[3509]: Failed to symlink /run/systemd/resolve/stub-resolv.conf: Permission denied Dec 07 21:37:04 vanilla-rawhide systemd[1]: Started Network Name Resolution. [vagrant@vanilla-rawhide ~]$ sudo ausearch -m avc | grep stub type=AVC msg=audit(1607377024.579:1031): avc: denied { create } for pid=3509 comm="systemd-resolve" name=".#stub-resolv.conf3b37f298db79c47a" scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=lnk_file permissive=0 ``` If selinux gets set to permissive mode then it works and this is what the resulting directory looks like: ``` [vagrant@vanilla-rawhide ~]$ ls -lZ /var/run/systemd/resolve/ total 4 srw-rw-rw-. 1 systemd-resolve systemd-resolve system_u:object_r:systemd_resolved_var_run_t:s0 0 Dec 7 21:41 io.systemd.Resolve drwx------. 2 systemd-resolve systemd-resolve system_u:object_r:systemd_resolved_var_run_t:s0 60 Dec 7 21:36 netif -rw-r--r--. 1 systemd-resolve systemd-resolve system_u:object_r:net_conf_t:s0 611 Dec 7 21:41 resolv.conf lrwxrwxrwx. 1 systemd-resolve systemd-resolve system_u:object_r:systemd_resolved_var_run_t:s0 11 Dec 7 21:41 stub-resolv.conf -> resolv.conf ``` Looks like we need to update something right around this line: https://github.com/fedora-selinux/selinux-policy/blob/6c7ec1db17385f4ac0c86f2e989868d70904cc68/policy/modules/system/systemd.te#L1082 My versions: ``` [vagrant@vanilla-rawhide ~]$ rpm -q selinux-policy-targeted systemd selinux-policy-targeted-3.14.7-10.fc34.noarch systemd-247.1-1.fc34.x86_64 ``` I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/499 *** Bug 1898800 has been marked as a duplicate of this bug. *** Backported to F33: https://github.com/fedora-selinux/selinux-policy/pull/500 FEDORA-2020-aff0be81b3 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-aff0be81b3 Those pull requests don't seem to address the issue. I'm testing with selinux-policy-targeted-3.14.6-31.fc33.noarch. Can you attempt to reproduce the issue with the steps from comment#1 and verify you see the same thing I am? FEDORA-2020-aff0be81b3 has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-aff0be81b3` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-aff0be81b3 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. OK, I tested the latest build in rawhide (selinux-policy-targeted-3.14.7-11.fc34.noarch) and it worked great. So something wrong with the backport? FEDORA-2020-aff0be81b3 has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report. re-opening since selinux-policy-3.14.6-31.fc33 didn't have the patches needed for this bug FEDORA-2020-f33aa1146d has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-f33aa1146d FEDORA-2020-f33aa1146d has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-f33aa1146d` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-f33aa1146d See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2020-f33aa1146d has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report. |