Bug 1335651 - dnsmasq update failed: An SELinux policy prevents this sender
Summary: dnsmasq update failed: An SELinux policy prevents this sender
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 24
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-05-12 19:08 UTC by rvcsaba
Modified: 2016-05-28 18:34 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.13.1-188.fc24 selinux-policy-3.13.1-189.fc24
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-05-28 18:34:24 UTC


Attachments (Terms of Use)
ausearch -m avc -m user_avc -i -ts today (11.53 KB, text/plain)
2016-05-13 13:46 UTC, rvcsaba
no flags Details

Description rvcsaba 2016-05-12 19:08:14 UTC
Description of problem:

I use NetworkManager with dnsmasq caching nameserver:

cat /etc/NetworkManager/conf.d/99-caching-nameserver.conf 
[main]

dns=dnsmasq

I boot, but not name resolution.

May 12 20:34:11 deer NetworkManager[935]: <warn>  [1463078051.3459] dnsmasq[0x55cfb1d9d220]: dnsmasq update failed: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.9" (uid=0 pid=935 comm="/usr/sbin/NetworkManager --no-daemon ")

Temporary workaround I disable SELinux:

setenforce 0
systemctl restart NetworkManager


Version-Release number of selected component (if applicable):

dbus-1.11.2-1.fc24.x86_64
dnsmasq-2.75-4.fc24.x86_64
kernel-4.5.4-300.fc24.x86_64
NetworkManager-1.2.2-1.fc24.x86_64
selinux-policy-3.13.1-186.fc24.noarch


How reproducible:
always

Comment 1 Milos Malik 2016-05-13 06:29:57 UTC
Could you collect SELinux denials and attach them here?

# ausearch -m avc -m user_avc -i -ts today

Comment 2 rvcsaba 2016-05-13 13:46:59 UTC
Created attachment 1157129 [details]
ausearch -m avc -m user_avc -i -ts today

Comment 3 Milos Malik 2016-05-13 13:55:09 UTC
Based on attached SELinux denials, dnsmasq and NetworkManager cannot talk to each other via D-bus:
----
type=USER_AVC msg=audit(05/13/2016 15:36:31.109:390) : pid=802 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=signal interface=org.freedesktop.NetworkManager.dnsmasq member=Up dest=org.freedesktop.DBus spid=2811 tpid=2741 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=dbus  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(05/13/2016 15:36:31.181:391) : pid=802 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=:1.59 spid=2741 tpid=2811 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:dnsmasq_t:s0 tclass=dbus  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----

Comment 4 Fedora Update System 2016-05-26 05:02:07 UTC
selinux-policy-3.13.1-189.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-43d1395a18

Comment 5 Fedora Update System 2016-05-26 05:03:05 UTC
selinux-policy-3.13.1-188.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-3ccd9afa2f

Comment 6 Fedora Update System 2016-05-28 18:34:00 UTC
selinux-policy-3.13.1-189.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.