Bug 1350100 - network manager dispatcher cannot update dns resolver due to selinux restrictions
Summary: network manager dispatcher cannot update dns resolver due to selinux restrict...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 24
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-06-25 13:07 UTC by Peter Meier
Modified: 2016-07-18 20:56 UTC (History)
10 users (show)

Fixed In Version: selinux-policy-3.13.1-191.5.fc24
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-07-18 18:23:08 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Peter Meier 2016-06-25 13:07:21 UTC
Description of problem:

When connecting to a VPN that is pushing custom dns servers the nm-dispatcher is unable to invoke the dnssec-trigger so dns servers are pushed to unbound.

Version-Release number of selected component (if applicable):

dnssec-trigger-0.13-0.4.20150714svn.fc24.x86_64

How reproducible:

Connect to a openvpn that pushes custom dns servers

Actual results:

openvpn is connected but not resolving through dns from vpn.

Expected results:

DNS servers of vpn are used after connecting to vpn

Additional info:

It is blocked by SELinux as the logs suggest:

Jun 25 14:18:11 foo NetworkManager[29471]: <info>  [1466857091.9797] device (tun0): Activation: successful, device activated.
Jun 25 14:18:11 foo nm-dispatcher[23628]: req:4 'up' [tun0]: new request (9 scripts)
Jun 25 14:18:12 foo audit[29216]: USER_AVC pid=29216 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=org.freedesktop.NetworkManager spid=23642 tpid=29471 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=dbus
                                                  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Jun 25 14:18:12 foo nm-dispatcher[23628]: NetworkManager is not running.
Jun 25 14:18:12 foo nm-dispatcher[23628]: req:2 'vpn-up' [tun0], "/etc/NetworkManager/dispatcher.d/01-dnssec-trigger": complete: failed with Script '/etc/NetworkManager/dispatcher.d/01-dnssec-trigger' exited with error status 1.

connecting with SELinux in permissive mode works as expected.

Comment 1 Tomáš Hozza 2016-06-27 15:32:38 UTC
Obviously dnssec-trigger script must be able to communicate with NM. And since the NM Python bindings use DBus, this must be allowed as well. Moving to SELinux-policy

Comment 2 Fedora Update System 2016-07-12 03:58:01 UTC
selinux-policy-3.13.1-191.5.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-0da627fe73

Comment 3 Fedora Update System 2016-07-18 18:22:49 UTC
selinux-policy-3.13.1-191.5.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 4 Peter Meier 2016-07-18 20:56:47 UTC
Some first testing showed it works again. Thanks!


Note You need to log in before you can comment on or make changes to this bug.