Bug 1242578 - Please allow dnssec-trigger to get pid of NetworkManager and send it SIGHUP signal
Summary: Please allow dnssec-trigger to get pid of NetworkManager and send it SIGHUP s...
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 22
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: Default_Local_DNS_Resolver
TreeView+ depends on / blocked
 
Reported: 2015-07-13 15:49 UTC by Tomáš Hozza
Modified: 2015-09-22 09:11 UTC (History)
7 users (show)

Fixed In Version: 3.13.1-128.13.fc22
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-09-16 21:20:38 UTC


Attachments (Terms of Use)
sealert -a /var/log/audit/audit.log -b > audit.txt in permissive mode (376.91 KB, text/plain)
2015-07-13 15:49 UTC, Tomáš Hozza
no flags Details
audit.log after "systemctl stop dnssec-triggerd.service" (45.51 KB, text/plain)
2015-07-27 16:00 UTC, Daniel Seither
no flags Details

Description Tomáš Hozza 2015-07-13 15:49:30 UTC
Created attachment 1051462 [details]
sealert -a /var/log/audit/audit.log -b > audit.txt in permissive mode

Description of problem:
Wight now dnssec-trigger on stop restarts NetworkManager. This was reworked so that NM is not restarted, but we are sending it a SIGHUP signal so that it writes resolv.conf with the current data.

This functionality will be available in F22 once merged in upstream.

Testing shown that selinux-policy blocks all of this. Please do necessary changes to allow the described scenario.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-128.4.fc22.noarch

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Lukas Vrabec 2015-07-27 15:52:45 UTC
Hi, 
Could you attach raw AVCs? (/var/log/audit/audit.log)

Thank you.

Comment 2 Daniel Seither 2015-07-27 16:00:34 UTC
Created attachment 1056669 [details]
audit.log after "systemctl stop dnssec-triggerd.service"

Relevant installed packages:

dnssec-trigger.x86_64 0.13-0.1.20150714svn.fc22
selinux-policy.noarch 3.13.1-128.6.fc22

Comment 3 Tomáš Hozza 2015-08-28 07:55:11 UTC
Any update on this?

Comment 4 Lukas Vrabec 2015-08-31 11:59:55 UTC
commit 04c21003591e4ce342cd955aac34f41ccf3d70c4
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Mon Aug 31 13:44:54 2015 +0200

    Allow dnssec-trigger to exec pidof. BZ(#1256737)

Comment 5 Tomáš Hozza 2015-08-31 13:14:41 UTC
(In reply to Lukas Vrabec from comment #4)
> commit 04c21003591e4ce342cd955aac34f41ccf3d70c4
> Author: Lukas Vrabec <lvrabec@redhat.com>
> Date:   Mon Aug 31 13:44:54 2015 +0200
> 
>     Allow dnssec-trigger to exec pidof. BZ(#1256737)

Thank you!

Comment 6 Tomáš Hozza 2015-08-31 13:16:21 UTC
Just to make sure, does the fix include sending a signal to NetworkManager from dnssec-trigger?

Comment 7 Lukas Vrabec 2015-08-31 13:28:21 UTC
Hi Tomas, 

Here is our repo with rules related to sending signals:
https://github.com/fedora-selinux/selinux-policy/blob/rawhide-contrib/dnssec.te#L80 (see lines from 80 to 82)

Comment 8 Fedora Update System 2015-09-14 09:59:51 UTC
selinux-policy-3.13.1-128.13.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-15798

Comment 9 Fedora Update System 2015-09-15 05:55:31 UTC
selinux-policy-3.13.1-128.13.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-15798

Comment 10 Fedora Update System 2015-09-16 21:20:26 UTC
selinux-policy-3.13.1-128.13.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Daniel Seither 2015-09-17 08:04:57 UTC
The problem is not fully fixed. I have commented on the issue at https://bodhi.fedoraproject.org/updates/FEDORA-2015-15798

I don't understand why bodhi closes this issue as fixed when the only feedback given to it is that the update doesn't fix the issue...

Here's my comment from the update:

This update gets rid of all the pidof AVCs from #1242578, but actually signalling the NetworkManager still fails:

type=AVC msg=audit(1442408036.812:839): avc: denied { signal } for pid=15811 comm="dnssec-trigger-" scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=process permissive=1

Comment 12 Miroslav Grepl 2015-09-22 09:11:48 UTC
Additional fixes have been added.

https://github.com/fedora-selinux/selinux-policy/commit/57e9dac6db1ca309007628ec6de2f14bd32c5b83

commit 57e9dac6db1ca309007628ec6de2f14bd32c5b83
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Tue Sep 22 11:09:08 2015 +0200

    Allow dnssec-trigger to send generic signal to Network-Manager. BZ(#1242578)


Note You need to log in before you can comment on or make changes to this bug.