| Summary: | SELinux is preventing NetworkManager from 'getattr' accesses on the file /var/run/nm-dns-dnsmasq.conf. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Oron Peled <oron> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 15 | CC: | dominick.grift, dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:40dd15b06891f742a8e5f05bcc4ad4647e9783e673b0fe67457db9193e845ef3 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-08-07 20:23:33 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
This started to occur after configuring NetworkManager to use DNS caching via dnsmasq. I.e: adding to /etc/NetworkManager/NetworkManager.conf the 'dns=dnsmasq' line. Here is the its full contents: [main] plugins=ifcfg-rh dns=dnsmasq These are the NM related files under /var/run: ls -lZ /var/run/nm-d* -rw-r--r--. root root system_u:object_r:NetworkManager_var_run_t:s0 /var/run/nm-dhclient-eth0.conf -rw-------. root root system_u:object_r:var_run_t:s0 /var/run/nm-dns-dnsmasq.conf restorecon /var/run/nm-dns-dnsmasq.conf does not change its selinux context. So it seems its context should be changed to NetworkManager_var_run_t (is it correct?) Forgot to mention that also 'unlink' for the same file is rejected.
Here is the entire message:
SELinux is preventing NetworkManager from unlink access on the file nm-dns-dnsmasq.conf.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that NetworkManager should be allowed unlink access on the nm-dns-dnsmasq.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep NetworkManager /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:NetworkManager_t:s0
Target Context system_u:object_r:var_run_t:s0
Target Objects nm-dns-dnsmasq.conf [ file ]
Source NetworkManager
Source Path NetworkManager
Port <Unknown>
Host radon
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.9.16-52.fc15
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name radon
Platform Linux radon 2.6.42.9-2.fc15.i686.PAE #1 SMP Mon
Mar 5 21:03:10 UTC 2012 i686 i686
Alert Count 10
First Seen Sun 01 Apr 2012 09:04:36 AM IDT
Last Seen Mon 02 Apr 2012 10:46:08 PM IDT
Local ID ee7c09ff-dbfb-41e4-8755-d6917ef02383
Raw Audit Messages
type=AVC msg=audit(1333395968.271:1714): avc: denied { unlink } for pid=946 comm="NetworkManager" name="nm-dns-dnsmasq.conf" dev=tmpfs ino=6364673 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
Hash: NetworkManager,NetworkManager_t,var_run_t,file,unlink
audit2allow
#============= NetworkManager_t ==============
allow NetworkManager_t var_run_t:file unlink;
audit2allow -R
#============= NetworkManager_t ==============
allow NetworkManager_t var_run_t:file unlink;
/var/run/nm-dns-dnsmasq.conf is mislabeled. What does $ matchpathcon /var/run/nm-dns-dnsmasq.conf As I said earlier, restorecon did not change its context. However: # matchpathcon /var/run/nm-dns-dnsmasq.conf /var/run/nm-dns-dnsmasq.conf system_u:object_r:var_run_t:s0 For reference: # rpm -q selinux-policy-targeted selinux-policy-targeted-3.9.16-52.fc15.noarch Other related files (same before/after restorecon): # ls -Z /var/run/nm-d* -rw-r--r--. root root system_u:object_r:NetworkManager_var_run_t:s0 /var/run/nm-dhclient-eth0.conf -rw-------. root root system_u:object_r:var_run_t:s0 /var/run/nm-dns-dnsmasq.conf -rw-r--r--. root root system_u:object_r:dnsmasq_var_run_t:s0 /var/run/nm-dns-dnsmasq.pid Nothing in the policy refers to /var/run/nm-dns-dnsmasq.conf: # semanage fcontext -l | grep dnsmasq /etc/dnsmasq\.conf regular file system_u:object_r:dnsmasq_etc_t:s0 /etc/rc\.d/init\.d/dnsmasq regular file system_u:object_r:dnsmasq_initrc_exec_t:s0 /usr/sbin/dnsmasq regular file system_u:object_r:dnsmasq_exec_t:s0 /var/lib/dnsmasq(/.*)? all files system_u:object_r:dnsmasq_lease_t:s0 /var/lib/misc/dnsmasq\.leases regular file system_u:object_r:dnsmasq_lease_t:s0 /var/log/dnsmasq.* regular file system_u:object_r:dnsmasq_var_log_t:s0 /var/run/dnsmasq\.pid regular file system_u:object_r:dnsmasq_var_run_t:s0 /var/run/libvirt/network(/.*)? all files system_u:object_r:dnsmasq_var_run_t:s0 I see it now. This is on F15. If you execute $ chcon -t NetworkManager_var_run_t /var/run/nm-dns-dnsmasq.conf are you able to reproduce it? Unsurprisingly it seems to solve the problem.
Testing:
0. chcon -t NetworkManager_var_run_t /var/run/nm-dns-dnsmasq.conf
1. Disconnect network cable, wait for NM to flag no network.
2. Check for empty configuration (no dns server, 0 bytes file):
# ls -ltr /var/run/nm-dns-dnsmasq.*
-rw-------. 1 root root 0 Apr 6 13:05 /var/run/nm-dns-dnsmasq.conf
-rw-r--r--. 1 root root 6 Apr 6 13:05 /var/run/nm-dns-dnsmasq.pid
3. Reconnect network cable, wait for NM to flag network connection is ready.
4. Check updated configuration file (non empty config, content OK):
# ls -ltr /var/run/nm-dns-dnsmasq.*
-rw-------. 1 root root 21 Apr 6 13:05 /var/run/nm-dns-dnsmasq.conf
-rw-r--r--. 1 root root 6 Apr 6 13:05 /var/run/nm-dns-dnsmasq.pid
# cat /var/run/nm-dns-dnsmasq.conf
server=aaa.bbb.ccc.ddd
5. No new messages in /var/log/audit/audit.log
Two questions:
* Does it justify new policy release? (The workaround is OK for me, no urgent need)
* Not SELinux issue, but why NM default config is without DNS caching?
It is going to be fixed in the next release. This message is a notice that Fedora 15 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 15. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At this time, all open bugs with a Fedora 'version' of '15' have been closed as WONTFIX. (Please note: Our normal process is to give advanced warning of this occurring, but we forgot to do that. A thousand apologies.) Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, feel free to reopen this bug and simply change the 'version' to a later Fedora version. Bug Reporter: Thank you for reporting this issue and we are sorry that we were unable to fix it before Fedora 15 reached end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" (top right of this page) and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping |
SELinux is preventing NetworkManager from 'getattr' accesses on the file /var/run/nm-dns-dnsmasq.conf. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that NetworkManager should be allowed getattr access on the nm-dns-dnsmasq.conf file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep NetworkManager /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:NetworkManager_t:s0 Target Context system_u:object_r:var_run_t:s0 Target Objects /var/run/nm-dns-dnsmasq.conf [ file ] Source NetworkManager Source Path NetworkManager Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.9.16-52.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux radon 2.6.42.9-2.fc15.i686.PAE #1 SMP Mon Mar 5 21:03:10 UTC 2012 i686 i686 Alert Count 2 First Seen Mon 02 Apr 2012 01:29:00 PM IDT Last Seen Mon 02 Apr 2012 10:46:08 PM IDT Local ID 97fb56f1-0903-4fa3-8580-1c6858928da0 Raw Audit Messages type=AVC msg=audit(1333395968.271:1713): avc: denied { getattr } for pid=946 comm="NetworkManager" path="/var/run/nm-dns-dnsmasq.conf" dev=tmpfs ino=6364673 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file Hash: NetworkManager,NetworkManager_t,var_run_t,file,getattr audit2allow #============= NetworkManager_t ============== allow NetworkManager_t var_run_t:file getattr; audit2allow -R #============= NetworkManager_t ============== allow NetworkManager_t var_run_t:file getattr;