RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1344505 - avc: denied { create } for pid=757 comm="NetworkManager" name="resolv.conf.WY7ZIY
Summary: avc: denied { create } for pid=757 comm="NetworkManager" name="resolv.conf...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.3
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: beta
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 1256920
TreeView+ depends on / blocked
 
Reported: 2016-06-09 19:59 UTC by PaulB
Modified: 2016-11-04 02:31 UTC (History)
12 users (show)

Fixed In Version: selinux-policy-3.13.1-80.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-04 02:31:43 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2283 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2016-11-03 13:36:25 UTC

Description PaulB 2016-06-09 19:59:35 UTC 
Description of problem:
 Running automated testing with RHEL-7.3-20160602.n.0 (kernel-aarch64)
the following avc is reported at install and during testing:
  avc:  denied  { create } for  pid=757 comm="NetworkManager" name="resolv.conf.WY7ZIY

Version-Release number of selected component (if applicable):
distro: RHEL-7.3-20160602.n.0
kernel: 4.5.0-0.39.el7
selinux-policy: 3.13.1-75.el7.noarch

How reproducible:
 consistently

Steps to Reproduce:
1. Install aarch64 host with RHEL-7.3-20160602.n.0
2.


Actual results:
https://beaker.engineering.redhat.com/recipes/2780381
https://beaker.engineering.redhat.com/recipes/2780381#task41834341
http://beaker-archive.app.eng.bos.redhat.com/beaker-logs/2016/06/13634/1363473/2780381/41834341/206252995/avc.log
---<-snip->---
----
time->Wed Jun  8 15:30:11 2016
type=PROCTITLE msg=audit(1465414211.435:32): proctitle=2F7573722F7362696E2F4E6574776F726B4D616E61676572002D2D6E6F2D6461656D6F6E
type=SYSCALL msg=audit(1465414211.435:32): arch=c00000b7 syscall=56 success=no exit=-13 a0=ffffffffffffff9c a1=aaab0df4d8d0 a2=c2 a3=1b6 items=0 ppid=1 pid=757 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(1465414211.435:32): avc:  denied  { create } for  pid=757 comm="NetworkManager" name="resolv.conf.WY7ZIY" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
----
time->Wed Jun  8 15:30:11 2016
type=PROCTITLE msg=audit(1465414211.446:33): proctitle=2F7573722F7362696E2F4E6574776F726B4D616E61676572002D2D6E6F2D6461656D6F6E
type=SYSCALL msg=audit(1465414211.446:33): arch=c00000b7 syscall=56 success=no exit=-13 a0=ffffffffffffff9c a1=aaab0df5c3c0 a2=c2 a3=1b6 items=0 ppid=1 pid=757 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(1465414211.446:33): avc:  denied  { create } for  pid=757 comm="NetworkManager" name="resolv.conf.4PWZIY" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
---<-snip->---

Expected results:
 no avc errors

Additional info:
Comment 1 PaulB 2016-06-09 20:02:35 UTC 
All,
Here is another example:
cavium-thunderx-01.ml3.eng.bos.redhat.com
https://beaker.engineering.redhat.com/recipes/2780382
https://beaker.engineering.redhat.com/recipes/2780382#task41834367
http://beaker-archive.app.eng.bos.redhat.com/beaker-logs/2016/06/13634/1363473/2780382/41834367/206253768/avc.log
---<-snip->---
----
time->Wed Jun  8 15:39:26 2016
type=PROCTITLE msg=audit(1465414766.869:25): proctitle=2F7573722F7362696E2F4E6574776F726B4D616E61676572002D2D6E6F2D6461656D6F6E
type=SYSCALL msg=audit(1465414766.869:25): arch=c00000b7 syscall=56 success=no exit=-13 a0=ffffffffffffff9c a1=aaab11b86860 a2=c2 a3=1b6 items=0 ppid=1 pid=1116 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(1465414766.869:25): avc:  denied  { create } for  pid=1116 comm="NetworkManager" name="resolv.conf.FYOMIY" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
----
time->Wed Jun  8 15:39:26 2016
type=PROCTITLE msg=audit(1465414766.902:26): proctitle=2F7573722F7362696E2F4E6574776F726B4D616E61676572002D2D6E6F2D6461656D6F6E
type=SYSCALL msg=audit(1465414766.902:26): arch=c00000b7 syscall=56 success=no exit=-13 a0=ffffffffffffff9c a1=aaab11bfb940 a2=c2 a3=1b6 items=0 ppid=1 pid=1116 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(1465414766.902:26): avc:  denied  { create } for  pid=1116 comm="NetworkManager" name="resolv.conf.N8DNIY" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
---<-snip->---

Best,
-pbunyan
Comment 7 PaulB 2016-06-13 15:05:39 UTC 
Lukas,
There is no selinux-policy-3.13.1-79.el7 available at this time:
 http://download.eng.bos.redhat.com/brewroot/packages/selinux-policy/3.13.1/

selinux-policy-3.13.1-78.el7 is available.
Do you have the correct version is "Fixed in Version" ?

Best,
-pbunyan
Comment 8 PaulB 2016-06-14 18:03:28 UTC 
All,
This issue persists with selinux-policy-3.13.1-79.el7:
https://beaker.engineering.redhat.com/recipes/2793747
https://beaker.engineering.redhat.com/recipes/2793747#task42009289
http://lab-02.rhts.eng.rdu.redhat.com/beaker/logs/results/207131+/207131542/avc.log
---<-snip->---
selinux-policy-3.13.1-79.el7.noarch
----
time->Tue Jun 14 16:41:00 2016
type=PROCTITLE msg=audit(1465936860.736:29): proctitle=2F7573722F7362696E2F4E6574776F726B4D616E61676572002D2D6E6F2D6461656D6F6E
type=SYSCALL msg=audit(1465936860.736:29): arch=c00000b7 syscall=56 success=no exit=-13 a0=ffffffffffffff9c a1=2ab159eb770 a2=c2 a3=1b6 items=0 ppid=1 pid=705 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(1465936860.736:29): avc:  denied  { create } for  pid=705 comm="NetworkManager" name="resolv.conf.0SHHJY" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
----
time->Tue Jun 14 16:41:00 2016
type=PROCTITLE msg=audit(1465936860.772:30): proctitle=2F7573722F7362696E2F4E6574776F726B4D616E61676572002D2D6E6F2D6461656D6F6E
type=SYSCALL msg=audit(1465936860.772:30): arch=c00000b7 syscall=56 success=no exit=-13 a0=ffffffffffffff9c a1=2ab1598bf10 a2=c2 a3=1b6 items=0 ppid=1 pid=705 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(1465936860.772:30): avc:  denied  { create } for  pid=705 comm="NetworkManager" name="resolv.conf.O75HJY" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
---<-snip->---

Best,
-pbunyan
Comment 9 Lukas Vrabec 2016-06-14 21:42:31 UTC 
Yes, you are right, it will be fixed in -80.el7 selinux-policy package version.
Comment 12 PaulB 2016-06-16 16:52:33 UTC 
All,
Retesting with selinux-policy-3.13.1-80.el7, issue is resolved:
distro: RHEL-7.3-20160613.n.0 Server aarch64
selinux-policy: 3.13.1-80.el7
kernel: 4.5.0-0.40.el7 
 https://beaker.engineering.redhat.com/recipes/2800663 - no selinux issue

best,
-pbunyan
Comment 14 errata-xmlrpc 2016-11-04 02:31:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html
Note You need to log in before you can comment on or make changes to this bug.