Bug 2055199

Summary: avc: denied { execute } for comm="nm-dispatcher" name="04-iscsi" on every boot
Product: Red Hat Enterprise Linux 8 Reporter: Martin Pitt <mpitt>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 8.6CC: lvrabec, mmalik, mmarusak, ssekidde
Target Milestone: rcKeywords: Regression, Triaged
Target Release: 8.6Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: CockpitTest
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-02-16 13:33:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Pitt 2022-02-16 13:13:01 UTC 
Description of problem: Our latest RHEL 8.6 image refresh [1] found a regression in nightly that affects every boot.


Version-Release number of selected component (if applicable):

selinux-policy (3.14.3-89.el8 -> 3.14.3-91.el8)

The image refresh updated a few other pages, see the bottom of [2] for details. But specifically, NetworkManager did *not* update.


How reproducible: Always

Steps to Reproduce:
1. Boot current RHEL 8.6 nightly cloud image


Actual results:

NetworkManager[884]: <info>  [1645016850.5617] device (virbr0): state change: unmanaged -> unavailable (reason 'connection-assumed', sys-iface-state: 'external')
NetworkManager[884]: <info>  [1645016850.5634] device (virbr0): state change: unavailable -> disconnected (reason 'connection-assumed', sys-iface-state: 'external')
NetworkManager[884]: <info>  [1645016850.5638] device (virbr0): Activation: starting connection 'virbr0' (05d6de47-9aa0-4d7f-8015-0a2039c4f0cd)
NetworkManager[884]: <info>  [1645016850.5639] device (virbr0): state change: disconnected -> prepare (reason 'none', sys-iface-state: 'external')
NetworkManager[884]: <info>  [1645016850.5641] device (virbr0): state change: prepare -> config (reason 'none', sys-iface-state: 'external')
NetworkManager[884]: <info>  [1645016850.5641] device (virbr0): state change: config -> ip-config (reason 'none', sys-iface-state: 'external')
NetworkManager[884]: <info>  [1645016850.5642] device (virbr0): state change: ip-config -> ip-check (reason 'none', sys-iface-state: 'external')
nm-dispatcher[922]: req:7 'pre-up' [virbr0]: find-scripts: Failed to open dispatcher directory '/etc/NetworkManager/dispatcher.d/pre-up.d': Error opening directory “/etc/NetworkManager/dispatcher.d/pre-up.d”: Permission denied
NetworkManager[884]: <info>  [1645016850.5670] device (virbr0): state change: ip-check -> secondaries (reason 'none', sys-iface-state: 'external')
nm-dispatcher[922]: req:8 'up' [virbr0]: find-scripts: Failed to open dispatcher directory '/etc/NetworkManager/dispatcher.d': Error opening directory “/etc/NetworkManager/dispatcher.d”: Permission denied
NetworkManager[884]: <info>  [1645016850.5671] device (virbr0): state change: secondaries -> activated (reason 'none', sys-iface-state: 'external')
nm-dispatcher[922]: req:8 'up' [virbr0], "/usr/lib/NetworkManager/dispatcher.d/04-iscsi": complete: failed to execute script: Failed to execute child process “/usr/lib/NetworkManager/dispatcher.d/04-iscsi” (Permission denied)
NetworkManager[884]: <info>  [1645016850.5673] device (virbr0): Activation: successful, device activated.
kernel: audit: type=1400 audit(1645016850.567:9): avc:  denied  { execute } for  pid=1598 comm="nm-dispatcher" name="04-iscsi" dev="vda3" ino=9978578 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:NetworkManager_dispatcher_script_t:s0 tclass=file permissive=0
NetworkManager[884]: <warn>  [1645016850.5737] dispatcher: (8) /usr/lib/NetworkManager/dispatcher.d/04-iscsi failed (exec failed): Failed to execute child process “/usr/lib/NetworkManager/dispatcher.d/04-iscsi” (Permission denied)


Expected results: That shouldn't happen :-)


Additional info:

[1] https://github.com/cockpit-project/bots/pull/2940
[2] https://logs.cockpit-project.org/logs/image-refresh-2940-20220215-022121/log
Comment 1 Zdenek Pytela 2022-02-16 13:33:20 UTC 

*** This bug has been marked as a duplicate of bug 1989070 ***