Bug 1337002 - SELinux error when connecting to VPN
Summary: SELinux error when connecting to VPN
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 24
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-05-18 01:32 UTC by Nick Coghlan
Modified: 2016-05-28 18:34 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.13.1-188.fc24 selinux-policy-3.13.1-189.fc24
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-05-28 18:34:29 UTC


Attachments (Terms of Use)

Description Nick Coghlan 2016-05-18 01:32:47 UTC
Description of problem:

Running F24 Beta, I'm currently getting the following error in the logs when attempting to connect to the Red Hat Brisbane VPN endpoint with SELinux in enforcing mode:

--------------------
May 18 11:09:15 thechalk NetworkManager[23516]: <warn>  [1463533755.9106] dnsmasq[0x56259e79a6e0]: dnsmasq update failed: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.11" (uid=0 pid=23516 comm="/usr/sbin/NetworkManager --no-daemon ") interface="org.freedesktop.NetworkManager.dnsmasq" member="SetServersEx" error name="(unset)" requested_reply="0" destination=":1.46" (uid=0 pid=24389 comm="/usr/sbin/dnsmasq --no-resolv --keep-in-foreground")
--------------------

After that, name resolution from the system doesn't work. While there was no SELinux troubleshooting alert for that particular error, there *was* an error on system startup for dhclient, complaining it didn't have permission to read /etc/machine-id.

If I run "setenforce 0" before connecting to the VPN, everything goes fine and name resolution continues to work (including after running "setenforce 1" after connecting to the VPN). 

Version-Release number of selected component (if applicable):

selinux-policy-3.13.1-185.fc24.noarch
dhcp-client-4.3.4-1.fc24.x86_64
NetworkManager-1.2.2-1.fc24.x86_64
openvpn-2.3.11-1.fc24.x86_64

How reproducible:

Always now, but it wasn't doing it when I connected to the VPN yesterday (however, all of selinux-policy, openvpn and NetworkManager were updated yesterday)

Steps to Reproduce:
1. Connect to wireless (can do DNS lookups)
2. Connect to VPN
3.

Actual results:

Can no longer do DNS lookups

Expected results:

Can do DNS lookups for both public and internal DNS

Additional info:

This system was upgraded from F23, and I'd previously had to do a whole filesystem relabel after inadvertently installing the Rawhide (F25) SELinux policy.

SELinux labels on /etc/machine-id:

    $ ls -lZ /etc/machine-id
    -r--r--r--. 1 root root system_u:object_r:svirt_sandbox_file_t:s0 33 Apr 24  2015 /etc/machine-id

Running restorecon on that doesn't change the labels.

Comment 1 Lukas Vrabec 2016-05-18 09:16:55 UTC
We have already fixes in selinux-policy repo.

Comment 2 Fedora Update System 2016-05-26 05:02:15 UTC
selinux-policy-3.13.1-189.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-43d1395a18

Comment 3 Fedora Update System 2016-05-26 05:03:18 UTC
selinux-policy-3.13.1-188.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-3ccd9afa2f

Comment 4 Fedora Update System 2016-05-28 18:34:06 UTC
selinux-policy-3.13.1-189.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.