Bug 2088944
Summary: | SElinux prevent NetworkManager dispatcher script to run | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Dario Lesca <d.lesca> |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 36 | CC: | dwalsh, grepl.miroslav, lvrabec, mmalik, omosnace, pkoncity, vmojzis, zpytela |
Target Milestone: | --- | Keywords: | Triaged |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-36.10-1.fc36 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2022-06-03 03:06:50 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Dario Lesca
2022-05-21 21:29:22 UTC
Hi Dario, Please update to the latest selinux-policy: https://bodhi.fedoraproject.org/updates/FEDORA-2022-148223ef3b Ensure the labels are correct: restorecon -Rvn /etc/NetworkManager/dispatcher.d/ If not, relabel: restorecon -Rv /etc/NetworkManager/dispatcher.d/ Then run your scripts/restart services/reboot and collect denials: ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today I have update all (dnf update), then I have update like suggest (sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-148223ef3b) and reboot. I open the VPN, my dispatcher script is started and ip and resolvectl command executed property without problem. This is ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today output for last transaction (15:41): ------------------- [lesca@dodo ~]$ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today type=AVC msg=audit(23/05/2022 15:41:42.924:466) : avc: denied { create } for pid=5923 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1 ---- type=AVC msg=audit(23/05/2022 15:41:42.924:467) : avc: denied { setopt } for pid=5923 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1 ---- type=AVC msg=audit(23/05/2022 15:41:42.924:468) : avc: denied { bind } for pid=5923 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1 ---- type=AVC msg=audit(23/05/2022 15:41:42.924:469) : avc: denied { getattr } for pid=5923 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1 ---- type=AVC msg=audit(23/05/2022 15:41:42.924:470) : avc: denied { nlmsg_read } for pid=5923 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1 ---- type=AVC msg=audit(23/05/2022 15:41:42.927:471) : avc: denied { nlmsg_write } for pid=5929 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1 ---- type=AVC msg=audit(23/05/2022 15:41:42.932:472) : avc: denied { write } for pid=5930 comm=resolvectl name=system_bus_socket dev="tmpfs" ino=2022 scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1 ---- type=AVC msg=audit(23/05/2022 15:41:42.932:473) : avc: denied { connectto } for pid=5930 comm=resolvectl path=/run/dbus/system_bus_socket scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 ---- type=AVC msg=audit(23/05/2022 15:41:42.933:474) : avc: denied { create } for pid=5930 comm=resolvectl scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=unix_dgram_socket permissive=1 ---- type=AVC msg=audit(23/05/2022 15:41:42.933:475) : avc: denied { ioctl } for pid=5930 comm=resolvectl path=socket:[53969] dev="sockfs" ino=53969 ioctlcmd=SIOCGIFINDEX scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=unix_dgram_socket permissive=1 ---- type=USER_AVC msg=audit(23/05/2022 15:41:42.933:476) : pid=1769 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=1 exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' I have also run this command: ------------------- [lesca@dodo ~]$ sudo semanage permissive -l Builtin Permissive Types NetworkManager_dispatcher_custom_t [lesca@dodo ~]$ sudo semanage permissive -d NetworkManager_dispatcher_custom_t libsemanage.semanage_direct_remove_key: Unable to remove module permissive_NetworkManager_dispatcher_custom_t at priority 400. (No such file or directory). FileNotFoundError: [Errno 2] No such file or directory [lesca@dodo ~]$ sudo semanage permissive -a NetworkManager_dispatcher_custom_t [lesca@dodo ~]$ sudo semanage permissive -l Builtin Permissive Types Customized Permissive Types NetworkManager_dispatcher_custom_t [lesca@dodo ~]$ sudo semanage permissive -d NetworkManager_dispatcher_custom_t libsemanage.semanage_direct_remove_key: Removing last permissive_NetworkManager_dispatcher_custom_t module (no other permissive_NetworkManager_dispatcher_custom_t module exists at another priority). [lesca@dodo ~]$ sudo semanage permissive -l Builtin Permissive Types NetworkManager_dispatcher_custom_t [lesca@dodo ~]$ sudo sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 ------------------- Like you see, there is a "Builtin Permissive Types" (NetworkManager_dispatcher_custom_t) that I can't delete. Is this a problem? But now my dispatcher script work great. If I must try some other test let me know. Many thanks Dario The NetworkManager_dispatcher_custom_t type has been temporarily set to permissive to catch requested permissions, the actions are actually not blocked. You can try the latest scratchbuild: https://github.com/fedora-selinux/selinux-policy/pull/1205 Checks -> Details -> Artifacts -> rpms but note the package version is for rawhide. I have update with latest scratchbuild proposed [lesca@dodo ~]$ sudo dnf update '/tmp/selinux-policy-targeted-37.2-1.20220525_142551.d15ad77.fc37.noarch.rpm' '/tmp/selinux-policy-37.2-1.20220525_142551.d15ad77.fc37.noarch.rpm' but none is changed: my dispatcher script work great and there is a "Builtin Permissive Types" (NetworkManager_dispatcher_custom_t) that I can't delete. [lesca@dodo ~]$ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today ---- type=AVC msg=audit(25/05/2022 00:31:17.946:1009) : avc: denied { create } for pid=188892 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1 ---- type=AVC msg=audit(25/05/2022 00:31:17.946:1010) : avc: denied { setopt } for pid=188892 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1 ---- type=AVC msg=audit(25/05/2022 00:31:17.946:1011) : avc: denied { bind } for pid=188892 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1 ---- type=AVC msg=audit(25/05/2022 00:31:17.946:1012) : avc: denied { getattr } for pid=188892 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1 ---- type=AVC msg=audit(25/05/2022 00:31:17.946:1013) : avc: denied { nlmsg_read } for pid=188892 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1 ---- type=AVC msg=audit(25/05/2022 21:49:07.812:1315) : avc: denied { create } for pid=335058 comm=resolvectl scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=unix_dgram_socket permissive=1 ---- type=AVC msg=audit(25/05/2022 21:49:07.812:1316) : avc: denied { ioctl } for pid=335058 comm=resolvectl path=socket:[1557535] dev="sockfs" ino=1557535 ioctlcmd=SIOCGIFINDEX scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=unix_dgram_socket permissive=1 [lesca@dodo ~]$ sudo semanage permissive -l Tipi permissivi incorporati NetworkManager_dispatcher_custom_t [lesca@dodo ~]$ sudo semanage permissive -l^C [lesca@dodo ~]$ sudo semanage permissive -d NetworkManager_dispatcher_custom_t libsemanage.semanage_direct_remove_key: Unable to remove module permissive_NetworkManager_dispatcher_custom_t at priority 400. (No such file or directory). FileNotFoundError: [Errno 2] No such file or directory Now I have downgrade to previous package [lesca@dodo ~]$ sudo dnf downgrade selinux-policy-targeted selinux-policy --enablerepo=updates-testing Thank you. The netlink_route_socket and unix_dgram_socket denials will be addressed by the next build. FEDORA-2022-a8b9033ed5 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-a8b9033ed5 FEDORA-2022-a8b9033ed5 has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-a8b9033ed5` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-a8b9033ed5 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2022-a8b9033ed5 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report. |