Bug 1242567 - please update selinux-policy to enable dnssec-trigger to restart NetworkManager
Summary: please update selinux-policy to enable dnssec-trigger to restart NetworkManager
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 22
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: Default_Local_DNS_Resolver
TreeView+ depends on / blocked
 
Reported: 2015-07-13 15:25 UTC by Tomáš Hozza
Modified: 2015-07-15 13:12 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2015-07-15 13:12:12 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
sealert -a /var/log/audit/audit.log -b > audit.txt in permissive mode (17.87 KB, text/plain)
2015-07-13 15:25 UTC, Tomáš Hozza 		no flags Details
View All

Description Tomáš Hozza 2015-07-13 15:25:48 UTC 
Created attachment 1051461 [details]
sealert -a /var/log/audit/audit.log -b > audit.txt in permissive mode

Description of problem:
On stop, dnssec-trigger determines if systemd is running on the system by checking /sys/fs/cgroup/systemd and then restarts NetworkManager using systemctl.

SELinux seems to forbid these two actions:

type=AVC msg=audit(1436800269.309:2684): avc:  denied  { execute_no_trans } for  pid=19480 comm="dnssec-trigger-" path="/usr/bin/systemctl" dev="dm-1" ino=5375025 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1

and 

type=AVC msg=audit(1436800269.308:2681): avc:  denied  { getattr } for  pid=19435 comm="dnssec-trigger-" path="/sys/fs/cgroup/systemd" dev="cgroup" ino=1 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-128.4.fc22.noarch

How reproducible:
always

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
see the attached audit.txt
Comment 1 Tomáš Hozza 2015-07-15 13:12:12 UTC 
This is not needed any more, since we changed the implementation to Bug #1242578
Note You need to log in before you can comment on or make changes to this bug.