Bug 1989070

Summary:	Create separate SELinux context for NetworkManager-dispatcher : avc: denied { execute } for comm="nm-dispatcher" name="04-iscsi" on every boot
Product:	Red Hat Enterprise Linux 8	Reporter:	Thomas Haller <thaller>
Component:	selinux-policy	Assignee:	Patrik Koncity <pkoncity>
Status:	CLOSED WONTFIX	QA Contact:	Milos Malik <mmalik>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	8.6	CC:	bgalvani, cedric.bellegarde, dhodovsk, fge, fpokryvk, jhsiao, JONATHAN.SATTELBERGER, leonfauster, lrintel, lvrabec, mmalik, mmarusak, mpitt, pkoncity, pzatko, riehecky, rkhan, ssekidde, sukulkar, till, vbenes, yidliu, zpytela
Target Milestone:	beta	Keywords:	Triaged
Target Release:	8.7
Hardware:	All
OS:	Linux
Whiteboard:	CockpitTest
Fixed In Version:	selinux-policy-3.14.3-91.el8	Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:
Clones:	2053641 (view as bug list)		Environment:
Last Closed:	2022-04-29 16:15:39 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	2053641

Description Thomas Haller 2021-08-02 10:36:44 UTC

NetworkManager-dispatcher runs under the same context as NetworkManager;

# ls -lZ /usr/libexec/nm-dispatcher /usr/sbin/NetworkManager 
-rwxr-xr-x. 1 root root system_u:object_r:NetworkManager_exec_t:s0   58032 Aug  2 10:32 /usr/libexec/nm-dispatcher
-rwxr-xr-x. 1 root root system_u:object_r:NetworkManager_exec_t:s0 3602712 Aug  2 10:32 /usr/sbin/NetworkManager



That seems highly undesirable to me.


NetworkManager-dispatcher executes user-provided scripts on behalf of the user (or the package which installed those scripts). It thus should have an entirely different security context than NetworkManager.


Also, all dispatcher scripts have the same context too:


# ll -Z /{etc,usr/lib}/NetworkManager/dispatcher.d
"/etc/NetworkManager/dispatcher.d":
total 4
-rw-r--r--. 1 root root unconfined_u:object_r:NetworkManager_initrc_exec_t:s0   0 Nov 28  2019 "30-winbind"
lrwxrwxrwx. 1 root root system_u:object_r:NetworkManager_initrc_exec_t:s0      69 Oct  8  2017 "90-vpn-routes.sh" -> "/data/src/portable_environment/scripts/nm-dispatcher/90-vpn-routes.sh"
lrwxrwxrwx. 1 root root system_u:object_r:NetworkManager_initrc_exec_t:s0      70 Oct  8  2017 "91-resolv-conf.sh" -> "/data/src/portable_environment/scripts/nm-dispatcher/91-resolv-conf.sh"
-rwxr-xr-x. 1 root root unconfined_u:object_r:NetworkManager_initrc_exec_t:s0 101 Dec 23  2019 "99-test.sh"
drwxr-xr-x. 2 root root system_u:object_r:NetworkManager_initrc_exec_t:s0       6 Aug  2 10:32 "no-wait.d"
drwxr-xr-x. 2 root root system_u:object_r:NetworkManager_initrc_exec_t:s0       6 Aug  2 10:32 "pre-down.d"
drwxr-xr-x. 2 root root system_u:object_r:NetworkManager_initrc_exec_t:s0       6 Aug  2 10:32 "pre-up.d"

"/usr/lib/NetworkManager/dispatcher.d":
total 20
-rwxr-xr-x. 1 root root system_u:object_r:NetworkManager_initrc_exec_t:s0  104 Feb 19 09:38 "04-iscsi"
-rwxr-xr-x. 1 root root system_u:object_r:NetworkManager_initrc_exec_t:s0 3844 Aug  2 10:32 "10-ifcfg-rh-routes.sh"
-rwxr-xr-x. 1 root root system_u:object_r:NetworkManager_initrc_exec_t:s0 1066 May 27 11:25 "11-dhclient"
-rwxr-xr-x. 1 root root system_u:object_r:NetworkManager_initrc_exec_t:s0 1416 May 13 17:13 "20-chrony-dhcp"
-rwxr-xr-x. 1 root root system_u:object_r:NetworkManager_initrc_exec_t:s0  459 May 12 13:06 "20-chrony-onoffline"
lrwxrwxrwx. 1 root root system_u:object_r:NetworkManager_initrc_exec_t:s0   30 Aug  2 10:32 "90-nm-cloud-setup.sh" -> "no-wait.d/90-nm-cloud-setup.sh"
drwxr-xr-x. 2 root root system_u:object_r:NetworkManager_initrc_exec_t:s0   63 Aug  2 12:31 "no-wait.d"
drwxr-xr-x. 2 root root system_u:object_r:NetworkManager_initrc_exec_t:s0    6 Aug  2 10:32 "pre-down.d"
drwxr-xr-x. 2 root root system_u:object_r:NetworkManager_initrc_exec_t:s0   35 Aug  2 12:31 "pre-up.d"



that is again not right. Only because one dispatcher script does something, it doesn't mean that all other dispatcher scripts should have the same permissions. Dispatcher scripts are commonly provided by other applications that react on events from NetworkManager. So their context is more dependent on that other application than on NetworkManager (or NetworkManager-dispatcher).

Comment 4 Patrik Koncity 2021-12-23 13:37:38 UTC

PR: https://github.com/fedora-selinux/selinux-policy/pull/977

Comment 18 Filip Pokryvka 2022-02-14 14:38:56 UTC

Hello, this el8 package seems to break the NetworkManager-ci tests, there are several "Permission denied" for dispatcher directory or script in journal log for "nm-dispatcher", previous version of selinux-policy works fine (also `setenforce 0` works fine), so it is really selinux-policy issue. I would move this back to ASSIGNED and set FailedQA until there is fixed package.

Comment 20 Zdenek Pytela 2022-02-16 13:33:20 UTC

*** Bug 2055199 has been marked as a duplicate of this bug. ***

Comment 21 Martin Pitt 2022-02-16 13:48:52 UTC

Retitling. I was unable to find this bug with a search, so I filed the duplicate bug 2055199. This should make it searchable.

Comment 27 Jean-Tsung Hsiao 2022-02-22 14:51:13 UTC

Our Beaker jobs hit the same issue:

https://beaker.engineering.redhat.com/jobs/6327666 --- under RHEL-8.6.0-20220220.3
https://beaker.engineering.redhat.com/jobs/6327363 --- under RHEL-8.6.0-20220218.1

Same job under RHEL-8.6.0-20220127.4 passed successfully:

https://beaker.engineering.redhat.com/jobs/6277175

Comment 28 Jean-Tsung Hsiao 2022-02-22 14:56:50 UTC

NOTE that we're using the fixed version:

selinux-policy-targeted-3.14.3-91.el8.noarch
*** selinux-policy-3.14.3-91.el8.noarch ***
libselinux-2.9-5.el8.x86_64
python3-libselinux-2.9-5.el8.x86_64
libselinux-utils-2.9-5.el8.x86_64
openvswitch-selinux-extra-policy-1.0-28.el8fdp.noarch
rpm-plugin-selinux-4.14.3-21.el8.x86_64

Please advise!
Thanks!
Jean

Comment 29 Zdenek Pytela 2022-02-22 17:19:04 UTC

(In reply to Jean-Tsung Hsiao from comment #28)
> NOTE that we're using the fixed version:
> 
> selinux-policy-targeted-3.14.3-91.el8.noarch
> *** selinux-policy-3.14.3-91.el8.noarch ***
In the latest version all related commites were reverted:

    * Wed Feb 16 2022 Zdenek Pytela <zpytela> - 3.14.3-92
    - Allow postfix_domain read dovecot certificates 1/2
    Resolves: rhbz#2043599
    - Dontaudit dirsrv search filesystem sysctl directories 1/2
    Resolves: rhbz#2042568
    - Allow chage domtrans to sssd
    Resolves: rhbz#2054718
    - Allow postfix_domain read dovecot certificates 2/2
    Resolves: rhbz#2043599
    - Allow ctdb create cluster logs
    Resolves: rhbz#2049481
    - Allow alsa bind mixer controls to led triggers
    Resolves: rhbz#2049730
    - Allow alsactl set group Process ID of a process
    Resolves: rhbz#2049730
    - Dontaudit mdadm list dirsrv tmpfs dirs
    Resolves: rhbz#2011174
    - Dontaudit dirsrv search filesystem sysctl directories 2/2
    Resolves: rhbz#2042568
    - Revert "Label NetworkManager-dispatcher service with separate context"
    Related: rhbz#1989070
^^^
    - Revert "Allow NetworkManager-dispatcher dbus chat with NetworkManager
    Related: rhbz#1989070
^^^

Comment 30 Till Maas 2022-02-23 15:34:55 UTC

*** Bug 2057147 has been marked as a duplicate of this bug. ***

Comment 32 Zdenek Pytela 2022-04-29 16:15:39 UTC

Confining nm-dispatcher plugins will not be included in Red Hat Enterprise Linux 8 as there would be a non-negligible risk of regression. We will now close this issue, but if you believe that the decision needs to be reconsidered, feel free to reopen this bug and attach information regarding severity of the bugzilla.