Bug 1391738 - NetworkManager related selinux 'denied' messages are logged for dhclient
Summary: NetworkManager related selinux 'denied' messages are logged for dhclient
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: NetworkManager
Version: 7.3
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: sushil kulkarni
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-03 21:56 UTC by Bob Fournier
Modified: 2016-11-04 01:18 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-04 01:18:22 UTC
Target Upstream Version:

Attachments (Terms of Use)
audit log from controller (245.43 KB, text/plain)
2016-11-03 21:56 UTC, Bob Fournier 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Bob Fournier 2016-11-03 21:56:15 UTC 
Created attachment 1217159 [details]
audit log from controller

Description of problem:

In Openstack OSP-10 controller nodes the following audit log messages are seen:

audit/audit.log:type=AVC msg=audit(1478094040.740:27): avc:  denied  { read } for  pid=1145 comm="NetworkManager" name="dhclient-enp3s0f1.pid" dev="tmpfs" ino=346 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
audit/audit.log:type=AVC msg=audit(1478094040.748:28): avc:  denied  { read } for  pid=1145 comm="NetworkManager" name="dhclient-enp3s0f0.pid" dev="tmpfs" ino=18727 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
audit/audit.log:type=AVC msg=audit(1478094083.924:102): avc:  denied  { unlink } for  pid=1145 comm="NetworkManager" name="dhclient-enp3s0f1.pid" dev="tmpfs" ino=346 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
audit/audit.log:type=AVC msg=audit(1478094084.081:103): avc:  denied  { unlink } for  pid=1145 comm="NetworkManager" name="dhclient-enp3s0f0.pid" dev="tmpfs" ino=18727 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file

This is for the dhclients started by NetworManager:
messages:Nov  2 09:40:40 host-172-16-1-24 NetworkManager[1145]: <info>  [1478094040.7435] dhcp4 (enp3s0f1): dhclient started with pid 1174
messages:Nov  2 09:40:40 host-172-16-1-24 NetworkManager[1145]: <info>  [1478094040.7501] dhcp4 (enp3s0f0): dhclient started with pid 1178

Not sure if the way that dhclient is created is causing it to not be recognized by selinux.

Version-Release number of selected component (if applicable):
version 1.4.0-12.el7

NetworkManager[1145]: <info>  [1478094040.6056] NetworkManager (version 1.4.0-12.el7) is starting

How reproducible:

Appears to happen every time.

Steps to Reproduce:
1. Deploy an Openstack overcloud controller node.

Actual results:

Selinux 'denied' messages in audit log.

audit/audit.log:type=AVC msg=audit(1478094040.740:27): avc:  denied  { read } for  pid=1145 comm="NetworkManager" name="dhclient-enp3s0f1.pid" dev="tmpfs" ino=346 scontext=system_u:system_r:NetworkManager_t:s0 
Expected results:

No Selinux 'denied' log messages.

Additional info:

Audit log is attached.
Comment 1 Bob Fournier 2016-11-04 01:18:22 UTC 
I don't think this is a NetworkManager problem.  It appears the selinunx messages regarding the pid files are occurring because another instance of dhclient is run prior to NetworkManager starting the dhclient instances.  The pid files therefore cannot be accessed by NetworkManager.

We may need to disable dhclients from being started by NetworkManager but it does not appear to be a bug.
Note You need to log in before you can comment on or make changes to this bug.