Hide Forgot
Maybe the problem is anomalous label of the directory: # matchpathcon /etc/NetworkManager/dispatcher.d/ /etc/NetworkManager/dispatcher.d system_u:object_r:NetworkManager_initrc_exec_t:s0 # Version-Release number of selected component (if applicable): NetworkManager-0.9.9.0-27.git20131108.el7.x86_64 NetworkManager-glib-0.9.9.0-27.git20131108.el7.x86_64 selinux-policy-3.12.1-109.el7.noarch selinux-policy-targeted-3.12.1-109.el7.noarch How reproducible: always Steps to Reproduce: # service NetworkManager restart # ausearch -m avc -i -ts recent Actual results: ---- type=PATH msg=audit(12/11/2013 12:53:59.308:433) : item=0 name=/etc/NetworkManager/dispatcher.d inode=864877 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:NetworkManager_initrc_exec_t:s0 objtype=NORMAL type=CWD msg=audit(12/11/2013 12:53:59.308:433) : cwd=/ type=SYSCALL msg=audit(12/11/2013 12:53:59.308:433) : arch=x86_64 syscall=openat success=no exit=-13(Permission denied) a0=0xffffffffffffff9c a1=0x7fb9bc5f5b78 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=12504 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=nm-dispatcher.a exe=/usr/libexec/nm-dispatcher.action subj=system_u:system_r:NetworkManager_t:s0 key=(null) type=AVC msg=audit(12/11/2013 12:53:59.308:433) : avc: denied { read } for pid=12504 comm=nm-dispatcher.a name=dispatcher.d dev="dm-1" ino=864877 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:NetworkManager_initrc_exec_t:s0 tclass=dir ---- Expected results: * no AVCs
This is because of the latest SELinux NM change for nm-dispatcher.a. Milos, are you getting more AVC related to this change?
These AVCs appeared in permissive mode, but nothing more: ---- type=PATH msg=audit(12/12/2013 07:43:41.477:518) : item=0 name=/etc/NetworkManager/dispatcher.d inode=8735489 dev=fd:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:NetworkManager_initrc_exec_t:s0 objtype=NORMAL type=CWD msg=audit(12/12/2013 07:43:41.477:518) : cwd=/ type=SYSCALL msg=audit(12/12/2013 07:43:41.477:518) : arch=x86_64 syscall=openat success=yes exit=5 a0=0xffffffffffffff9c a1=0x7f23800ddb78 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=2380 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=nm-dispatcher.a exe=/usr/libexec/nm-dispatcher.action subj=system_u:system_r:NetworkManager_t:s0 key=(null) type=AVC msg=audit(12/12/2013 07:43:41.477:518) : avc: denied { open } for pid=2380 comm=nm-dispatcher.a path=/etc/NetworkManager/dispatcher.d dev="vda3" ino=8735489 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:NetworkManager_initrc_exec_t:s0 tclass=dir type=AVC msg=audit(12/12/2013 07:43:41.477:518) : avc: denied { read } for pid=2380 comm=nm-dispatcher.a name=dispatcher.d dev="vda3" ino=8735489 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:NetworkManager_initrc_exec_t:s0 tclass=dir ----
I am also getting them.
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request.