Created attachment 1051462 [details] sealert -a /var/log/audit/audit.log -b > audit.txt in permissive mode Description of problem: Wight now dnssec-trigger on stop restarts NetworkManager. This was reworked so that NM is not restarted, but we are sending it a SIGHUP signal so that it writes resolv.conf with the current data. This functionality will be available in F22 once merged in upstream. Testing shown that selinux-policy blocks all of this. Please do necessary changes to allow the described scenario. Version-Release number of selected component (if applicable): selinux-policy-3.13.1-128.4.fc22.noarch How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Hi, Could you attach raw AVCs? (/var/log/audit/audit.log) Thank you.
Created attachment 1056669 [details] audit.log after "systemctl stop dnssec-triggerd.service" Relevant installed packages: dnssec-trigger.x86_64 0.13-0.1.20150714svn.fc22 selinux-policy.noarch 3.13.1-128.6.fc22
Any update on this?
commit 04c21003591e4ce342cd955aac34f41ccf3d70c4 Author: Lukas Vrabec <lvrabec> Date: Mon Aug 31 13:44:54 2015 +0200 Allow dnssec-trigger to exec pidof. BZ(#1256737)
(In reply to Lukas Vrabec from comment #4) > commit 04c21003591e4ce342cd955aac34f41ccf3d70c4 > Author: Lukas Vrabec <lvrabec> > Date: Mon Aug 31 13:44:54 2015 +0200 > > Allow dnssec-trigger to exec pidof. BZ(#1256737) Thank you!
Just to make sure, does the fix include sending a signal to NetworkManager from dnssec-trigger?
Hi Tomas, Here is our repo with rules related to sending signals: https://github.com/fedora-selinux/selinux-policy/blob/rawhide-contrib/dnssec.te#L80 (see lines from 80 to 82)
selinux-policy-3.13.1-128.13.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-15798
selinux-policy-3.13.1-128.13.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-15798
selinux-policy-3.13.1-128.13.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
The problem is not fully fixed. I have commented on the issue at https://bodhi.fedoraproject.org/updates/FEDORA-2015-15798 I don't understand why bodhi closes this issue as fixed when the only feedback given to it is that the update doesn't fix the issue... Here's my comment from the update: This update gets rid of all the pidof AVCs from #1242578, but actually signalling the NetworkManager still fails: type=AVC msg=audit(1442408036.812:839): avc: denied { signal } for pid=15811 comm="dnssec-trigger-" scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=process permissive=1
Additional fixes have been added. https://github.com/fedora-selinux/selinux-policy/commit/57e9dac6db1ca309007628ec6de2f14bd32c5b83 commit 57e9dac6db1ca309007628ec6de2f14bd32c5b83 Author: Miroslav Grepl <mgrepl> Date: Tue Sep 22 11:09:08 2015 +0200 Allow dnssec-trigger to send generic signal to Network-Manager. BZ(#1242578)