Bug 1226543 - SELinux AVCs with systemd-networkd
Summary: SELinux AVCs with systemd-networkd
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 22
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-05-30 13:19 UTC by Anthony Messina
Modified: 2015-06-11 18:38 UTC (History)
1 user (show)

Fixed In Version: selinux-policy-3.13.1-128.1.fc22
Clone Of:
Environment:
Last Closed: 2015-06-11 18:38:22 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1153340 0 unspecified CLOSED systemd-networkd AVCs 2021-02-22 00:41:40 UTC

Description Anthony Messina 2015-05-30 13:19:47 UTC 
I'd like to run systemd-networkd in Fedora 22, but I get the following errors, despite the issue being marked as resolved in Bug #1153340.

The network seems to work, and the AVCs below report "permissive=1" even when I have SELinux enforcing.

selinux-policy-targeted-3.13.1-126.fc22.noarch
systemd-219-15.fc22.x86_64

## 10-enp3s7.network 
[Match]
Name=enp3s7
[Network]
DHCP=yes

## journald output
Enumeration completed
IPv6: ADDRCONF(NETDEV_UP): enp3s7: link is not ready
Started Network Service.
<audit-1130> pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-networkd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
e1000: enp3s7 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
IPv6: ADDRCONF(NETDEV_CHANGE): enp3s7: link becomes ready
enp3s7          : gained carrier
<audit-1400> avc:  denied  { create } for  pid=739 comm="systemd-network" scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:system_r:systemd_networkd_t:s0 tclass=rawip_socket permissive=1
<audit-1400> avc:  denied  { setopt } for  pid=739 comm="systemd-network" lport=58 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:system_r:systemd_networkd_t:s0 tclass=rawip_socket permissive=1
<audit-1400> avc:  denied  { name_bind } for  pid=739 comm="systemd-network" src=68 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:dhcpc_port_t:s0 tclass=udp_socket permissive=1
<audit-1400> avc:  denied  { node_bind } for  pid=739 comm="systemd-network" saddr=10.77.79.89 src=68 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket permissive=1
<audit-1400> avc:  denied  { net_bind_service } for  pid=739 comm="systemd-network" capability=10  scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:system_r:systemd_networkd_t:s0 tclass=capability permissive=1
[system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service'
enp3s7          : DHCPv4 address 10.77.79.89/24 via 10.77.79.1
enp3s7          : link configured
Starting Hostname Service...
<audit-1325> table=filter family=2 entries=0
[system] Successfully activated service 'org.freedesktop.hostname1'
<audit-1107> pid=735 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.hostname1 member=SetHostname dest=org.freed
 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
[system] Activating via systemd: service name='org.freedesktop.PolicyKit1' unit='polkit.service'
Started Hostname Service.
<audit-1130> pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
<audit-1400> avc:  denied  { getattr } for  pid=739 comm="systemd-network" path="socket:[18691]" dev="sockfs" ino=18691 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:system_r:systemd_networkd_t:s0 tclass=rawip_socket
<audit-1400> avc:  denied  { name_bind } for  pid=739 comm="systemd-network" src=546 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:dhcpc_port_t:s0 tclass=udp_socket permissive=1
<audit-1400> avc:  denied  { node_bind } for  pid=739 comm="systemd-network" src=546 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket permissive=1
<audit-1400> avc:  denied  { net_bind_service } for  pid=739 comm="systemd-network" capability=10  scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:system_r:systemd_networkd_t:s0 tclass=capability permissive=1
Comment 1 Miroslav Grepl 2015-06-01 13:14:40 UTC 
commit 425f02dc6f2b3887f44a074426d2d7543ad5085d
Author: Miroslav Grepl <mgrepl>
Date:   Mon Jun 1 15:13:41 2015 +0200

    Allow systemd-networkd to bind dhcpc ports if DHCP=yes in *.network conf file. BZ(1226543)
Comment 2 Fedora Update System 2015-06-09 14:39:45 UTC 
selinux-policy-3.13.1-128.1.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-128.1.fc22
Comment 3 Fedora Update System 2015-06-10 19:11:31 UTC 
Package selinux-policy-3.13.1-128.1.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-128.1.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-9714/selinux-policy-3.13.1-128.1.fc22
then log in and leave karma (feedback).
Comment 4 Fedora Update System 2015-06-11 18:38:22 UTC 
selinux-policy-3.13.1-128.1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.