Description of problem: Running F24 Beta, I'm currently getting the following error in the logs when attempting to connect to the Red Hat Brisbane VPN endpoint with SELinux in enforcing mode: -------------------- May 18 11:09:15 thechalk NetworkManager[23516]: <warn> [1463533755.9106] dnsmasq[0x56259e79a6e0]: dnsmasq update failed: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.11" (uid=0 pid=23516 comm="/usr/sbin/NetworkManager --no-daemon ") interface="org.freedesktop.NetworkManager.dnsmasq" member="SetServersEx" error name="(unset)" requested_reply="0" destination=":1.46" (uid=0 pid=24389 comm="/usr/sbin/dnsmasq --no-resolv --keep-in-foreground") -------------------- After that, name resolution from the system doesn't work. While there was no SELinux troubleshooting alert for that particular error, there *was* an error on system startup for dhclient, complaining it didn't have permission to read /etc/machine-id. If I run "setenforce 0" before connecting to the VPN, everything goes fine and name resolution continues to work (including after running "setenforce 1" after connecting to the VPN). Version-Release number of selected component (if applicable): selinux-policy-3.13.1-185.fc24.noarch dhcp-client-4.3.4-1.fc24.x86_64 NetworkManager-1.2.2-1.fc24.x86_64 openvpn-2.3.11-1.fc24.x86_64 How reproducible: Always now, but it wasn't doing it when I connected to the VPN yesterday (however, all of selinux-policy, openvpn and NetworkManager were updated yesterday) Steps to Reproduce: 1. Connect to wireless (can do DNS lookups) 2. Connect to VPN 3. Actual results: Can no longer do DNS lookups Expected results: Can do DNS lookups for both public and internal DNS Additional info: This system was upgraded from F23, and I'd previously had to do a whole filesystem relabel after inadvertently installing the Rawhide (F25) SELinux policy. SELinux labels on /etc/machine-id: $ ls -lZ /etc/machine-id -r--r--r--. 1 root root system_u:object_r:svirt_sandbox_file_t:s0 33 Apr 24 2015 /etc/machine-id Running restorecon on that doesn't change the labels.
We have already fixes in selinux-policy repo.
selinux-policy-3.13.1-189.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-43d1395a18
selinux-policy-3.13.1-188.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-3ccd9afa2f
selinux-policy-3.13.1-189.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.