Bug 2053388

Please find the package which brought the 04-iscsi file:

# rpm -qf /etc/NetworkManager/dispatcher.d/04-iscsi

Thank you.

(In reply to Milos Malik from comment #1)
> Please find the package which brought the 04-iscsi file:
> 
> # rpm -qf /etc/NetworkManager/dispatcher.d/04-iscsi
> 
> Thank you.

$ rpm -qf /usr/lib/NetworkManager/dispatcher.d/04-iscsi
iscsi-initiator-utils-6.2.1.4-4.git095f59c.el8.x86_64

Based on the collected SELinux denials and based on the content of scripts located in the /usr/lib/NetworkManager/dispatcher.d/ directory, the NetworkManager dispatcher wants to run the systemctl and smbcontrol programs.

Permissions for lnk_file are missing even in the upstream policy:
https://github.com/fedora-selinux/selinux-policy/pull/1071

Also note cloud-init brings /etc/NetworkManager/dispatcher.d/cloud-init-azure-hook (rhel8/9) or /etc/NetworkManager/dispatcher.d/hook-network-manager (fedora)

Summary of problems reported in 3 bzs:

1.
type=PROCTITLE msg=audit(02/11/2022 18:24:43.253:327) : proctitle=/usr/libexec/nm-dispatcher 
type=PATH msg=audit(02/11/2022 18:24:43.253:327) : item=0 name=/usr/lib/NetworkManager/dispatcher.d/90-nm-cloud-setup.sh nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/11/2022 18:24:43.253:327) : cwd=/ 
type=SYSCALL msg=audit(02/11/2022 18:24:43.253:327) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x560021c71530 a1=0x7ffd32b94050 a2=0x7ffd32b94050 a3=0x0 items=1 ppid=1 pid=5519 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=nm-dispatcher exe=/usr/libexec/nm-dispatcher subj=system_u:system_r:NetworkManager_dispatcher_t:s0 key=(null) 
type=AVC msg=audit(02/11/2022 18:24:43.253:327) : avc:  denied  { read } for  pid=5519 comm=nm-dispatcher name=90-nm-cloud-setup.sh dev="vda2" ino=8503268 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:NetworkManager_dispatcher_script_t:s0 tclass=lnk_file permissive=0 
2.
type=USER_AVC msg=audit(1644707426.286:1415): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { reload } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/iscsi.service" cmdline="" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:iscsi_unit_file_t:s0 tclass=service permissive=1  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1644707426.286:1416): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/iscsi.service" cmdline="" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:iscsi_unit_file_t:s0 tclass=service permissive=1  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
3.
PROCTITLE msg=audit(02/12/2022 18:10:26.298:1423) : proctitle=/bin/bash /usr/libexec/chrony-helper create-helper-directory
type=SYSCALL msg=audit(02/12/2022 18:10:26.298:1423) : arch=x86_64 syscall=ioctl success=no exit=ENOTTY(Inappropriate ioctl for device) a0=0x5 a1=TCGETS a2=0x7ffc7f2d6280 a3=0x0 items=0 ppid=60967 pid=60970 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chrony-helper exe=/usr/bin/bash subj=system_u:system_r:NetworkManager_dispatcher_t:s0 key=(null)
type=AVC msg=audit(02/12/2022 18:10:26.298:1423) : avc:  denied  { ioctl } for  pid=60970 comm=chrony-helper path=/usr/libexec/chrony-helper dev="sdb5" ino=6979330917 ioctlcmd=TCGETS scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file permissive=1
4.
type=AVC msg=audit(02/12/2022 18:10:26.308:1430) : avc:  denied  { dac_read_search } for  pid=60976 comm=chronyc capability=dac_read_search  scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tclass=capability permissive=1
type=SYSCALL msg=audit(02/12/2022 18:10:26.308:1430) : arch=x86_64 syscall=unlink success=no exit=ENOENT(No such file or directory) a0=0x561e48824140 a1=0x561e46b15dbd a2=0x0 a3=0x0 items=1 ppid=60975 pid=60976 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chronyc exe=/usr/bin/chronyc subj=system_u:system_r:NetworkManager_dispatcher_t:s0 key=(null)
type=CWD msg=audit(02/12/2022 18:10:26.308:1430) : cwd=/
type=PATH msg=audit(02/12/2022 18:10:26.308:1430) : item=0 name=/run/chrony/ inode=33152 dev=00:18 mode=dir,750 ouid=unknown(995) ogid=pipewire rdev=00:00 obj=system_u:object_r:chronyd_var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
5.
type=PROCTITLE msg=audit(02/14/2022 15:43:11.965:31) : proctitle=/bin/sh /usr/lib/NetworkManager/dispatcher.d/04-iscsi none hostname
type=SYSCALL msg=audit(02/14/2022 15:43:11.965:31) : arch=x86_64 syscall=connect success=no exit=ECONNREFUSED(Connection refused) a0=0x4 a1=0x7fff81909930 a2=0x6e a3=0x0 items=0 ppid=1561 pid=1566 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=04-iscsi exe=/usr/bin/bash subj=system_u:system_r:NetworkManager_dispatcher_t:s0 key=(null)

List of plugins:
/etc/NetworkManager/dispatcher.d/cloud-init-azure-hook 
/usr/lib/NetworkManager/dispatcher.d/04-iscsi
/usr/lib/NetworkManager/dispatcher.d/11-dhclient
/usr/lib/NetworkManager/dispatcher.d/20-chrony-dhcp
/usr/lib/NetworkManager/dispatcher.d/20-chrony-onoffline
/usr/lib/NetworkManager/dispatcher.d/30-winbind
/usr/lib/NetworkManager/dispatcher.d/90-nm-cloud-setup.sh
/usr/lib/NetworkManager/dispatcher.d/no-wait.d/90-nm-cloud-setup.sh

*** Bug 2054228 has been marked as a duplicate of this bug. ***

*** Bug 2054291 has been marked as a duplicate of this bug. ***

This one appears in Fedora, but reproducer is not known:
type=USER_AVC msg=audit(02/13/2022 02:04:59.729:5223) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=root uid=root gid=root path=/usr/lib/systemd/system/sendmail.service cmdline="" function="bus_unit_method_start_generic" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=1  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?'

*** Bug 2054728 has been marked as a duplicate of this bug. ***

After 16 feb Centos Stream 8 upgrade
NetworkManager-dispatcher.service works with errors:
# systemctl status NetworkManager-dispatcher.service
● NetworkManager-dispatcher.service - Network Manager Script Dispatcher Service
   Loaded: loaded (/usr/lib/systemd/system/NetworkManager-dispatcher.service; enabled; vendor preset: enabled)
   Active: inactive (dead)

Feb 16 02:07:22 xxxxx.com nm-dispatcher[905]: req:1 'hostname': find-scripts: Failed to open dispatcher directory '/etc/NetworkManager/dispatcher.d': Error opening directory “/etc/NetworkManager/>
Feb 16 02:07:22 xxxxx.com nm-dispatcher[905]: req:1 'hostname', "/usr/lib/NetworkManager/dispatcher.d/04-iscsi": complete: failed to execute script: Failed to execute child process “/usr/lib/Netw>
Feb 16 02:07:22 xxxxx.com nm-dispatcher[905]: req:2 'connectivity-change': find-scripts: Failed to open dispatcher directory '/etc/NetworkManager/dispatcher.d': Error opening directory “/etc/Netw>
Feb 16 02:07:22 xxxxx.com nm-dispatcher[905]: req:2 'connectivity-change', "/usr/lib/NetworkManager/dispatcher.d/04-iscsi": complete: failed to execute script: Failed to execute child process “/u>
Feb 16 02:07:22 xxxxx.com nm-dispatcher[905]: req:3 'pre-up' [ens3]: find-scripts: Failed to open dispatcher directory '/etc/NetworkManager/dispatcher.d/pre-up.d': Error opening directory “/etc/N>
Feb 16 02:07:22 xxxxx.com nm-dispatcher[905]: req:4 'up' [ens3]: find-scripts: Failed to open dispatcher directory '/etc/NetworkManager/dispatcher.d': Error opening directory “/etc/NetworkManager>
Feb 16 02:07:22 xxxxx.com nm-dispatcher[905]: req:4 'up' [ens3], "/usr/lib/NetworkManager/dispatcher.d/04-iscsi": complete: failed to execute script: Failed to execute child process “/usr/lib/Net>
Feb 16 02:07:22 xxxxx.com nm-dispatcher[905]: req:5 'connectivity-change': find-scripts: Failed to open dispatcher directory '/etc/NetworkManager/dispatcher.d': Error opening directory “/etc/Netw>
Feb 16 02:07:22 xxxxx.com nm-dispatcher[905]: req:5 'connectivity-change', "/usr/lib/NetworkManager/dispatcher.d/04-iscsi": complete: failed to execute script: Failed to execute child process “/u>
Feb 16 02:07:32 xxxxx.com systemd[1]: NetworkManager-dispatcher.service: Succeeded.

This is the list of nm-dispatcher plugins and packages I managed to collect so far:

/etc/NetworkManager/dispatcher.d/11-dhclient
/etc/NetworkManager/dispatcher.d/20-chrony-dhcp
/etc/NetworkManager/dispatcher.d/20-chrony-onoffline
/etc/NetworkManager/dispatcher.d/90-console-login-helper-messages-gensnippet_if
/etc/NetworkManager/dispatcher.d/cloud-init-azure-hook
/etc/NetworkManager/dispatcher.d/hook-network-manager
/usr/lib/NetworkManager/dispatcher.d/04-iscsi
/usr/lib/NetworkManager/dispatcher.d/11-dhclient
/usr/lib/NetworkManager/dispatcher.d/20-chrony-dhcp
/usr/lib/NetworkManager/dispatcher.d/20-chrony-onoffline
/usr/lib/NetworkManager/dispatcher.d/30-winbind
/usr/lib/NetworkManager/dispatcher.d/90-nm-cloud-setup.sh
/usr/lib/NetworkManager/dispatcher.d/no-wait.d/90-nm-cloud-setup.sh

chrony
cloud-init
console-login-helper-messages-issuegen
dhcp-client
iscsi-initiator-utils
NetworkManager-cloud-setup
samba-winbind

Confining nm-dispatcher plugins will not be included in Red Hat Enterprise Linux 8 as there would be a non-negligible risk of regression. We will now close this issue, but if you believe that the decision needs to be reconsidered, feel free to reopen this bug and attach information regarding severity of the bugzilla.