Description of problem: I am using ShrewSoft VPN Client on Fedora 24 and whenever I connect to my remote site I get this SELinux alert. It appears that the changes to the nameservers are made to the /etc/resolv.conf file but it seems that NetworkManager is trying an unlink on the file and I'm not sure why. The connection works as expected, so there isn't a problem, but I'm just confused by the alert. I'm not sure why NetworkManager needs unlink access or even if it should have that access. SELinux is preventing NetworkManager from 'unlink' accesses on the file /etc/resolv.conf. ***** Plugin restorecon (94.8 confidence) suggests ************************ If you want to fix the label. /etc/resolv.conf default label should be net_conf_t. Then you can run restorecon. Do # /sbin/restorecon -v /etc/resolv.conf ***** Plugin catchall_labels (5.21 confidence) suggests ******************* If you want to allow NetworkManager to have unlink access on the resolv.conf file Then you need to change the label on /etc/resolv.conf Do # semanage fcontext -a -t FILE_TYPE '/etc/resolv.conf' where FILE_TYPE is one of the following: NetworkManager_etc_rw_t, NetworkManager_tmp_t, NetworkManager_var_lib_t, NetworkManager_var_run_t, dhcpc_state_t, dhcpc_var_run_t, dnsmasq_var_run_t, hostname_etc_t, named_cache_t, net_conf_t, pppd_var_run_t, systemd_passwd_var_run_t. Then execute: restorecon -v '/etc/resolv.conf' ***** Plugin catchall (1.44 confidence) suggests ************************** If you believe that NetworkManager should be allowed unlink access on the resolv.conf file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'NetworkManager' --raw | audit2allow -M my-NetworkManager # semodule -X 300 -i my-NetworkManager.pp Additional Information: Source Context system_u:system_r:NetworkManager_t:s0 Target Context system_u:object_r:etc_t:s0 Target Objects /etc/resolv.conf [ file ] Source NetworkManager Source Path NetworkManager Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-191.13.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.6.7-300.fc24.x86_64 #1 SMP Wed Aug 17 18:48:43 UTC 2016 x86_64 x86_64 Alert Count 12 First Seen 2016-08-16 15:44:29 EDT Last Seen 2016-08-27 12:56:33 EDT Local ID fa271e6a-1973-48a0-b404-d694219ce7e0 Raw Audit Messages type=AVC msg=audit(1472316993.835:274): avc: denied { unlink } for pid=1040 comm="NetworkManager" name="resolv.conf" dev="sda7" ino=130836 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0 Hash: NetworkManager,NetworkManager_t,etc_t,file,unlink Version-Release number of selected component: selinux-policy-3.13.1-191.13.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.6.7-300.fc24.x86_64 type: libreport Potential duplicate: bug 876757
Network Manager manages the /etc/resolv.conf file, so it renames content over the file. The weird thing is that ShrewSoft VPN Client on Fedora 24 is mislabeling the file when it creates it. Most likely it is creating a temporary file in /etc and then renaming it over /etc/resolv.conf. If you could figure out the file name that the tool is creating, then we might be able to setup a file trans fule for this creation. Or if you could modify the code to run a restorecon after it creates the file, or you could try to use restorecond to watch for new file creations and then fix the label.
Dan is right. Could you provide info?
Thanks for the follow up. I looked into it and this is what is happening. When I am not connected using ShrewSoft the /etc/resolv.conf file is a symlink that points to /var/run/NetworkManager/resolv.conf, which has the proper type of net_conf_t. Whenever I connect with Shrewsoft, it removes the symlink and adds it's own version of /etc/resolv.conf with has a type of etc_t. I am not sure what happens at this point, but it appears NetworkManager tries to remove the file so it can recreate the symlink or something? Like I said before, it still works fine besides the alert that comes up.
Melvin, Could you connect using ShrewSoft and then attach output of: # ps -efZ | grep ShrewSoft Thanks.
[melvin@MyComputer ~]$ ps -efZ | grep ike system_u:system_r:unconfined_service_t:s0 root 19988 1 0 08:37 ? 00:00:00 /usr/sbin/iked -f /etc/iked.conf unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 melvin 21044 1 0 10:21 pts/1 00:00:00 /usr/bin/qikea unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 melvin 21048 21044 1 10:21 pts/1 00:00:00 qikec -r MySite iked is the daemon that runs in the background, qikea is the GUI which holds all of the connections and qikec runs whenever you actually create a connection and put in your username/password.
https://github.com/fedora-selinux/selinux-policy/pull/152 Might fix the problem.
selinux-policy-3.13.1-191.20.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-7ce27629b3
selinux-policy-3.13.1-191.20.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-7ce27629b3
selinux-policy-3.13.1-191.20.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.