Bug 639074
| Summary: | NetworkManager writing out resolv.conf with wrong context | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Mark Chappell <tremble> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.0 | CC: | mmalik, snagar |
| Target Milestone: | rc | Keywords: | ZStream |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-56.el6 | Doc Type: | Bug Fix |
| Doc Text: |
With SELinux running in the enforcing mode, resuming the system from the Suspend mode failed, because the /etc/resolv.conf file did not have the correct security context. This was caused by NetworkManager, which was running under wrong SELinux domain, "devicekit_power_t". With this update, the proper SELinux domain transition from DeviceKit-power to NetworkManager has been added, and resuming from the Suspend mode now works as expected.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-05-19 11:56:38 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 580448, 609355, 644808 | ||
Miroslav add optional_policy(` networkmanager_domtrans(devicekit_power_t) ') Fixed in selinux-policy-3.7.19-56.el6.noarch
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
With SELinux running in the enforcing mode, resuming the system from the Suspend mode failed, because the /etc/resolv.conf file did not have the correct security context. This was caused by NetworkManager, which was running under wrong SELinux domain, "devicekit_power_t". With this update, the proper SELinux domain transition from DeviceKit-power to NetworkManager has been added, and resuming from the Suspend mode now works as expected.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0526.html |
Description of problem: When resuming from suspend NetworkManager is writing out /etc/resolv.conf.tmp which is being created as etc_t this is then being moved to replace the existing /etc/resolv.conf This is I think the related create... type=AVC msg=audit(1285868806.229:1625): avc: granted { create } for pid=28423 comm="NetworkManager" name="resolv.conf.tmp" scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file It's then failing to unlink the resolv.conf it created, when I try to reconnect leaving DNS config in a wonky state. Version-Release number of selected component (if applicable): [mchappel@mchappel ~]$ rpm -q selinux-policy selinux-policy-3.7.19-54.el6.noarch How reproducible: Every time Steps to Reproduce: 1. Connect to network using NetworkManager 2. Suspend machine 3. Restart machine Actual results: /etc/resolv.conf and /etc/hosts have a context of system_u:object_r:etc_t:s0 Expected results: /etc/resolv.conf and /etc/hosts have a context of system_u:object_r:net_conf_t:s0