Bug 2088944
| Summary: | SElinux prevent NetworkManager dispatcher script to run | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Dario Lesca <d.lesca> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 36 | CC: | dwalsh, grepl.miroslav, lvrabec, mmalik, omosnace, pkoncity, vmojzis, zpytela |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-36.10-1.fc36 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-06-03 03:06:50 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Hi Dario, Please update to the latest selinux-policy: https://bodhi.fedoraproject.org/updates/FEDORA-2022-148223ef3b Ensure the labels are correct: restorecon -Rvn /etc/NetworkManager/dispatcher.d/ If not, relabel: restorecon -Rv /etc/NetworkManager/dispatcher.d/ Then run your scripts/restart services/reboot and collect denials: ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today I have update all (dnf update), then I have update like suggest (sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-148223ef3b) and reboot.
I open the VPN, my dispatcher script is started and ip and resolvectl command executed property without problem.
This is ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today output for last transaction (15:41):
-------------------
[lesca@dodo ~]$ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
type=AVC msg=audit(23/05/2022 15:41:42.924:466) : avc: denied { create } for pid=5923 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1
----
type=AVC msg=audit(23/05/2022 15:41:42.924:467) : avc: denied { setopt } for pid=5923 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1
----
type=AVC msg=audit(23/05/2022 15:41:42.924:468) : avc: denied { bind } for pid=5923 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1
----
type=AVC msg=audit(23/05/2022 15:41:42.924:469) : avc: denied { getattr } for pid=5923 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1
----
type=AVC msg=audit(23/05/2022 15:41:42.924:470) : avc: denied { nlmsg_read } for pid=5923 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1
----
type=AVC msg=audit(23/05/2022 15:41:42.927:471) : avc: denied { nlmsg_write } for pid=5929 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1
----
type=AVC msg=audit(23/05/2022 15:41:42.932:472) : avc: denied { write } for pid=5930 comm=resolvectl name=system_bus_socket dev="tmpfs" ino=2022 scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1
----
type=AVC msg=audit(23/05/2022 15:41:42.932:473) : avc: denied { connectto } for pid=5930 comm=resolvectl path=/run/dbus/system_bus_socket scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
----
type=AVC msg=audit(23/05/2022 15:41:42.933:474) : avc: denied { create } for pid=5930 comm=resolvectl scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=unix_dgram_socket permissive=1
----
type=AVC msg=audit(23/05/2022 15:41:42.933:475) : avc: denied { ioctl } for pid=5930 comm=resolvectl path=socket:[53969] dev="sockfs" ino=53969 ioctlcmd=SIOCGIFINDEX scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=unix_dgram_socket permissive=1
----
type=USER_AVC msg=audit(23/05/2022 15:41:42.933:476) : pid=1769 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=1 exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?'
I have also run this command:
-------------------
[lesca@dodo ~]$ sudo semanage permissive -l
Builtin Permissive Types
NetworkManager_dispatcher_custom_t
[lesca@dodo ~]$ sudo semanage permissive -d NetworkManager_dispatcher_custom_t
libsemanage.semanage_direct_remove_key: Unable to remove module permissive_NetworkManager_dispatcher_custom_t at priority 400. (No such file or directory).
FileNotFoundError: [Errno 2] No such file or directory
[lesca@dodo ~]$ sudo semanage permissive -a NetworkManager_dispatcher_custom_t
[lesca@dodo ~]$ sudo semanage permissive -l
Builtin Permissive Types
Customized Permissive Types
NetworkManager_dispatcher_custom_t
[lesca@dodo ~]$ sudo semanage permissive -d NetworkManager_dispatcher_custom_t
libsemanage.semanage_direct_remove_key: Removing last permissive_NetworkManager_dispatcher_custom_t module (no other permissive_NetworkManager_dispatcher_custom_t module exists at another priority).
[lesca@dodo ~]$ sudo semanage permissive -l
Builtin Permissive Types
NetworkManager_dispatcher_custom_t
[lesca@dodo ~]$ sudo sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
-------------------
Like you see, there is a "Builtin Permissive Types" (NetworkManager_dispatcher_custom_t) that I can't delete.
Is this a problem?
But now my dispatcher script work great.
If I must try some other test let me know.
Many thanks
Dario
The NetworkManager_dispatcher_custom_t type has been temporarily set to permissive to catch requested permissions, the actions are actually not blocked. You can try the latest scratchbuild: https://github.com/fedora-selinux/selinux-policy/pull/1205 Checks -> Details -> Artifacts -> rpms but note the package version is for rawhide. I have update with latest scratchbuild proposed
[lesca@dodo ~]$ sudo dnf update '/tmp/selinux-policy-targeted-37.2-1.20220525_142551.d15ad77.fc37.noarch.rpm' '/tmp/selinux-policy-37.2-1.20220525_142551.d15ad77.fc37.noarch.rpm'
but none is changed: my dispatcher script work great and there is a "Builtin Permissive Types" (NetworkManager_dispatcher_custom_t) that I can't delete.
[lesca@dodo ~]$ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
----
type=AVC msg=audit(25/05/2022 00:31:17.946:1009) : avc: denied { create } for pid=188892 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1
----
type=AVC msg=audit(25/05/2022 00:31:17.946:1010) : avc: denied { setopt } for pid=188892 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1
----
type=AVC msg=audit(25/05/2022 00:31:17.946:1011) : avc: denied { bind } for pid=188892 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1
----
type=AVC msg=audit(25/05/2022 00:31:17.946:1012) : avc: denied { getattr } for pid=188892 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1
----
type=AVC msg=audit(25/05/2022 00:31:17.946:1013) : avc: denied { nlmsg_read } for pid=188892 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1
----
type=AVC msg=audit(25/05/2022 21:49:07.812:1315) : avc: denied { create } for pid=335058 comm=resolvectl scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=unix_dgram_socket permissive=1
----
type=AVC msg=audit(25/05/2022 21:49:07.812:1316) : avc: denied { ioctl } for pid=335058 comm=resolvectl path=socket:[1557535] dev="sockfs" ino=1557535 ioctlcmd=SIOCGIFINDEX scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=unix_dgram_socket permissive=1
[lesca@dodo ~]$ sudo semanage permissive -l
Tipi permissivi incorporati
NetworkManager_dispatcher_custom_t
[lesca@dodo ~]$ sudo semanage permissive -l^C
[lesca@dodo ~]$ sudo semanage permissive -d NetworkManager_dispatcher_custom_t
libsemanage.semanage_direct_remove_key: Unable to remove module permissive_NetworkManager_dispatcher_custom_t at priority 400. (No such file or directory).
FileNotFoundError: [Errno 2] No such file or directory
Now I have downgrade to previous package
[lesca@dodo ~]$ sudo dnf downgrade selinux-policy-targeted selinux-policy --enablerepo=updates-testing
Thank you. The netlink_route_socket and unix_dgram_socket denials will be addressed by the next build. FEDORA-2022-a8b9033ed5 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-a8b9033ed5 FEDORA-2022-a8b9033ed5 has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-a8b9033ed5` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-a8b9033ed5 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2022-a8b9033ed5 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report. |
After update to Fedora 36 I have a selinux problem with my personal NetworkManager dispatcher script Into logs I get this error: mag 17 12:56:30 dodo.home.solinos.it audit[160270]: AVC avc: denied { getattr } for pid=160270 comm="nm-dispatcher" path="/etc/NetworkManager/dispatcher.d/15-vpn-disp" dev="dm-1" ino=33588281 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:NetworkManager_exec_t:s0 tclass=file permissive=0 But if I try set SElinux permission I get this error: [lesca@dodo Network]$ sudo chcon system_u:system_r:NetworkManager_dispatcher_t:s0 /etc/NetworkManager/dispatcher.d/15-vpn-disp chcon: failed to change context of '/etc/NetworkManager/dispatcher.d/15-vpn-disp' to 'system_u:system_r:NetworkManager_dispatcher_t:s0': Permission denied Version-Release number of selected component (if applicable): [lesca@dodo ~]$ rpm -q selinux-policy selinux-policy-targeted NetworkManager selinux-policy-36.8-2.fc36.noarch selinux-policy-targeted-36.8-2.fc36.noarch NetworkManager-1.38.0-1.fc36.x86_64 How reproducible: Add a script in /etc/NetworkManager/dispatcher.d/ like this: if [ "$1" = "tun0" -a "$2" = "up" ] then if /sbin/ip route list dev "$1"|grep -q '^10.9.0.' # Specific VPN then # for any route /sbin/ip route list | awk '$1=="default" {$1=""; $2=""; print}'|while read gw do # If my home network if [[ "$gw" == *.6.254\ dev\ * ]] then sh -x -c "/sbin/ip route rep 172.16.6.0/24 via $gw; /sbin/ip route rep 10.1.6.0/24 via $gw;" fi done # DNS Suffix sh -x -c "resolvectl domain '$1' extdom1.it extdom2.it" fi fi The ip and resolve cmd is prevent by selinux with this error: mag 18 01:44:02 dodo.home.solinos.it audit[209723]: AVC avc: denied { execute } for pid=209723 comm="15-vpn-disp" name="ip" dev="dm-1" ino=372493 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=0 mag 18 01:44:02 dodo.home.solinos.it audit[209723]: AVC avc: denied { getattr } for pid=209723 comm="15-vpn-disp" path="/usr/sbin/ip" dev="dm-1" ino=372493 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=0 mag 18 01:44:02 dodo.home.solinos.it audit[209723]: AVC avc: denied { getattr } for pid=209723 comm="15-vpn-disp" path="/usr/sbin/ip" dev="dm-1" ino=372493 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=0 mag 18 01:44:02 dodo.home.solinos.it nm-dispatcher[209723]: /etc/NetworkManager/dispatcher.d/15-vpn-disp: line 8: /sbin/ip: Permission denied The only way to allow this execution is run this command: sudo semanage permissive -a NetworkManager_dispatcher_t (for undo: sudo semanage permissive -d NetworkManager_dispatcher_t )