Description of problem: When connecting to a VPN that is pushing custom dns servers the nm-dispatcher is unable to invoke the dnssec-trigger so dns servers are pushed to unbound. Version-Release number of selected component (if applicable): dnssec-trigger-0.13-0.4.20150714svn.fc24.x86_64 How reproducible: Connect to a openvpn that pushes custom dns servers Actual results: openvpn is connected but not resolving through dns from vpn. Expected results: DNS servers of vpn are used after connecting to vpn Additional info: It is blocked by SELinux as the logs suggest: Jun 25 14:18:11 foo NetworkManager[29471]: <info> [1466857091.9797] device (tun0): Activation: successful, device activated. Jun 25 14:18:11 foo nm-dispatcher[23628]: req:4 'up' [tun0]: new request (9 scripts) Jun 25 14:18:12 foo audit[29216]: USER_AVC pid=29216 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=org.freedesktop.NetworkManager spid=23642 tpid=29471 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Jun 25 14:18:12 foo nm-dispatcher[23628]: NetworkManager is not running. Jun 25 14:18:12 foo nm-dispatcher[23628]: req:2 'vpn-up' [tun0], "/etc/NetworkManager/dispatcher.d/01-dnssec-trigger": complete: failed with Script '/etc/NetworkManager/dispatcher.d/01-dnssec-trigger' exited with error status 1. connecting with SELinux in permissive mode works as expected.
Obviously dnssec-trigger script must be able to communicate with NM. And since the NM Python bindings use DBus, this must be allowed as well. Moving to SELinux-policy
selinux-policy-3.13.1-191.5.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-0da627fe73
selinux-policy-3.13.1-191.5.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Some first testing showed it works again. Thanks!