1462976 – SELinux denies 'execute' for /usr/libexec/nm-dispatcher on boot after install from Atomic Host installer image

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1462976 - SELinux denies 'execute' for /usr/libexec/nm-dispatcher on boot after install from Atomic Host installer image

Summary: SELinux denies 'execute' for /usr/libexec/nm-dispatcher on boot after install...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ostree
Sub Component:
Version:	7.4
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Colin Walters
QA Contact:	atomic-bugs@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:	1461978
Blocks:
TreeView+	depends on / blocked

Reported:	2017-06-19 19:22 UTC by Micah Abbott
Modified:	2017-08-02 00:18 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1461978
Environment:
Last Closed:	2017-08-02 00:18:52 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:2356	0	normal	SHIPPED_LIVE	ostree bug fix and enhancement update	2017-08-08 22:53:05 UTC

Description Micah Abbott 2017-06-19 19:22:11 UTC

This appears to affect RHELAH 7.4 as well.

Similar behavior seen when booting cloud image corresponding to RHELAH 7.4 ostree commit 0b62181fb3.


# journalctl -b | grep -E '(avc|denied)' -m 10
Jun 19 19:10:44 localhost.localdomain kernel: type=1400 audit(1497899444.614:4): avc:  denied  { unlink } for  pid=600 comm="systemd-hwdb" name="hwdb.bin" dev="dm-0" ino=5082899 scontext=system_u:system_r:systemd_hwdb_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
Jun 19 19:10:46 localhost.localdomain kernel: type=1400 audit(1497899446.893:5): avc:  denied  { execute } for  pid=737 comm="NetworkManager" name="00-netreport" dev="dm-0" ino=5081637 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:NetworkManager_etc_t:s0 tclass=file
Jun 19 19:10:46 localhost.localdomain kernel: type=1400 audit(1497899446.906:6): avc:  denied  { execute } for  pid=737 comm="NetworkManager" name="04-iscsi" dev="dm-0" ino=5081638 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:NetworkManager_etc_t:s0 tclass=file
Jun 19 19:10:46 localhost.localdomain kernel: type=1400 audit(1497899446.917:7): avc:  denied  { execute } for  pid=737 comm="NetworkManager" name="11-dhclient" dev="dm-0" ino=5081639 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:NetworkManager_etc_t:s0 tclass=file
Jun 19 19:10:46 localhost.localdomain kernel: type=1400 audit(1497899446.940:8): avc:  denied  { execute } for  pid=737 comm="NetworkManager" name="20-chrony" dev="dm-0" ino=5081640 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:NetworkManager_etc_t:s0 tclass=file
Jun 19 19:10:46 localhost.localdomain kernel: type=1400 audit(1497899446.952:9): avc:  denied  { execute } for  pid=737 comm="NetworkManager" name="cloud-init-azure-hook" dev="dm-0" ino=5081641 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:NetworkManager_etc_t:s0 tclass=file
Jun 19 19:10:47 localhost.localdomain kernel: type=1400 audit(1497899447.126:10): avc:  denied  { execute } for  pid=774 comm="nm-dispatcher" name="00-netreport" dev="dm-0" ino=5081637 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:NetworkManager_etc_t:s0 tclass=file
Jun 19 19:10:47 localhost.localdomain nm-dispatcher[769]: req:1 'hostname', "/etc/NetworkManager/dispatcher.d/00-netreport": complete: failed to execute script: Failed to execute child process "/etc/NetworkManager/dispatcher.d/00-netreport" (Permission denied)
Jun 19 19:10:47 localhost.localdomain nm-dispatcher[769]: req:1 'hostname', "/etc/NetworkManager/dispatcher.d/04-iscsi": complete: failed to execute script: Failed to execute child process "/etc/NetworkManager/dispatcher.d/04-iscsi" (Permission denied)
Jun 19 19:10:47 localhost.localdomain nm-dispatcher[769]: req:1 'hostname', "/etc/NetworkManager/dispatcher.d/11-dhclient": complete: failed to execute script: Failed to execute child process "/etc/NetworkManager/dispatcher.d/11-dhclient" (Permission denied)



+++ This bug was initially created as a clone of Bug #1461978 +++

The openQA default-install-and-boot test for the Atomic Host installer image is showing several instances of one SELinux denial immediately after boot:

type=AVC msg=audit(1497548408.952:169): avc: denied { execute } for pid=998 comm="nm-dispatcher" name="10-ifcfg-rh-routes.sh" dev="dm-0" ino=28911 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:NetworkManager_etc_t:s0 tclass=file permissive=0

with each occurrence the pid of the nm-dispatcher process changes, so it seems like perhaps this denial causes the operation (whatever exactly nm-dispatcher is doing, I'm not sure) to fail and then it is immediately retried, hits the denial, and fails again. This doesn't seem to prevent networking from working.

This seems to have started happening between Fedora-26-20170605.n.0 (which would have been effectively identical to Beta) and Fedora-26-20170611.n.1 (which was the first successful post-Beta-freeze compose, with all the packages queued for stable during the Beta freeze included).

--- Additional comment from Dusty Mabe on 2017-06-15 15:40 EDT ---



--- Additional comment from Dusty Mabe on 2017-06-15 15:50:38 EDT ---

The denials in that attachment are from an atomic host vagrant box (i.e. not just the installer, but the installed system).

--- Additional comment from Dusty Mabe on 2017-06-15 16:11:25 EDT ---

[root@vanilla-f26atomic ~]# rpm-ostree status
State: idle
Deployments:
● fedora-atomic:fedora/26/x86_64/atomic-host
             Version: 26.59 (2017-06-12 02:00:29)
              Commit: 95283eba36118de8b065ca29c079760cc82394e0128aadf8f32bb867454b64fb
[root@vanilla-f26atomic ~]# 
[root@vanilla-f26atomic ~]# 
[root@vanilla-f26atomic ~]# rpm -q selinux-policy 
selinux-policy-3.13.1-254.fc26.noarch
[root@vanilla-f26atomic ~]# rpm -q kernel
kernel-4.11.0-2.fc26.x86_64
[root@vanilla-f26atomic ~]# rpm -q NetworkManager
NetworkManager-1.8.0-4.fc26.x86_64

--- Additional comment from Dusty Mabe on 2017-06-15 16:14:10 EDT ---

also seeing on a host with newer versions:

```
[root@f26-updates-testing ~]# rpm -q selinux-policy NetworkManager kernel
selinux-policy-3.13.1-257.fc26.noarch
NetworkManager-1.8.0-5.fc26.x86_64
kernel-4.11.4-300.fc26.x86_64
```

--- Additional comment from Daniel Walsh on 2017-06-15 17:40:23 EDT ---

Looks like 10-ifcfg-rh-routes.sh has the wrong type on it, it is labeled as a netoworkmanager config file instead of an executable.

--- Additional comment from Daniel Walsh on 2017-06-16 05:52:48 EDT ---

What is the path to 10-ifcfg-rh-routes.sh

matchpathcon /etc/NetworkManager/dispatcher.d/10-ifcfg-rh-routes.sh
/etc/NetworkManager/dispatcher.d/10-ifcfg-rh-routes.sh	system_u:object_r:NetworkManager_initrc_exec_t:s0

restorecon -R -v /etc/NetworkManager

Should fix the label.

--- Additional comment from Dusty Mabe on 2017-06-16 09:18:09 EDT ---





```
[root@vanilla-f26atomic ~]# ls -lZ /etc/NetworkManager/dispatcher.d/*
-rwxr-xr-x. 1 root root system_u:object_r:NetworkManager_etc_t:s0  175 Jun 12 02:37 /etc/NetworkManager/dispatcher.d/00-netreport
-rwxr-xr-x. 1 root root system_u:object_r:NetworkManager_etc_t:s0  100 Jun 12 02:37 /etc/NetworkManager/dispatcher.d/04-iscsi
-rwxr-xr-x. 1 root root system_u:object_r:NetworkManager_etc_t:s0 1056 Jun 12 02:37 /etc/NetworkManager/dispatcher.d/10-ifcfg-rh-routes.sh
-rwxr-xr-x. 1 root root system_u:object_r:NetworkManager_etc_t:s0  933 Jun 12 02:37 /etc/NetworkManager/dispatcher.d/11-dhclient
-rwxr-xr-x. 1 root root system_u:object_r:NetworkManager_etc_t:s0  436 Jun 12 02:37 /etc/NetworkManager/dispatcher.d/20-chrony
-rwxr-xr-x. 1 root root system_u:object_r:NetworkManager_etc_t:s0  719 Jun 12 02:37 /etc/NetworkManager/dispatcher.d/hook-network-manager

/etc/NetworkManager/dispatcher.d/no-wait.d:
total 0
lrwxrwxrwx. 1 root root system_u:object_r:NetworkManager_etc_t:s0 24 Jun 12 02:37 10-ifcfg-rh-routes.sh -> ../10-ifcfg-rh-routes.sh

/etc/NetworkManager/dispatcher.d/pre-down.d:
total 0

/etc/NetworkManager/dispatcher.d/pre-up.d:
total 0
lrwxrwxrwx. 1 root root system_u:object_r:NetworkManager_etc_t:s0 34 Jun 12 02:37 10-ifcfg-rh-routes.sh -> ../no-wait.d/10-ifcfg-rh-routes.sh

[root@vanilla-f26atomic ~]# ls -lZ /etc/NetworkManager/dispatcher.d/10-ifcfg-rh-routes.sh 
-rwxr-xr-x. 1 root root system_u:object_r:NetworkManager_etc_t:s0 1056 Jun 12 02:37 /etc/NetworkManager/dispatcher.d/10-ifcfg-rh-routes.sh
```

--- Additional comment from Daniel Walsh on 2017-06-16 09:22:29 EDT ---

Did restorecon fix the labels?

--- Additional comment from Dusty Mabe on 2017-06-16 09:28:22 EDT ---



```
[root@vanilla-f26atomic ~]# restorecon -R -v /etc/NetworkManager 
Relabeled /etc/NetworkManager/dispatcher.d from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/00-netreport from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/04-iscsi from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/10-ifcfg-rh-routes.sh from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/11-dhclient from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/20-chrony from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/hook-network-manager from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/no-wait.d from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/no-wait.d/10-ifcfg-rh-routes.sh from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/pre-down.d from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/pre-up.d from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/pre-up.d/10-ifcfg-rh-routes.sh from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/system-connections from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_etc_rw_t:s0
```

--- Additional comment from Colin Walters on 2017-06-16 09:39:37 EDT ---

This might be a regression from https://github.com/ostreedev/ostree/pull/797

`restorecon -nvR /etc/`

shows a lot of diffs.

--- Additional comment from Colin Walters on 2017-06-16 09:48:01 EDT ---

This reproduces in F25AH too, starting from:

```
  fedora-atomic:fedora-atomic/25/x86_64/docker-host
             Version: 25.137 (2017-06-04 23:31:40)
              Commit: 0ed61d7441eddf96e6a98de4f10f4675268c7888b6d2b8a405b8c21fe6c92d23
```

Then

```
$ rpm-ostree deploy 25.136
$ systemctl reboot
...
$ restorecon -nvR /etc
```

--- Additional comment from Dusty Mabe on 2017-06-16 09:51:45 EDT ---

is there a specific test we can add for this to the atomic-host-tests suite?

--- Additional comment from Colin Walters on 2017-06-16 11:03:58 EDT ---

https://github.com/ostreedev/ostree/pull/936

There's an installed test case there - which gets back to https://github.com/projectatomic/atomic-host-tests/issues/74

--- Additional comment from Fedora Update System on 2017-06-19 14:21:27 EDT ---

ostree-2017.7-2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-7b464a11e7

Comment 3 Micah Abbott 2017-06-30 18:05:03 UTC

This is VERIFIED fixed in ostree-2017.7-1.el7.x86_64

# rpm-ostree status
State: idle
Deployments:
● rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
                Version: 7.4.0 (2017-06-27 16:55:35)
                 Commit: 13b30690b7573d0749bf15d0e60394a5ee939a70f5272f4982fa29209042e7ad

# rpm -q ostree
ostree-2017.7-1.el7.x86_64

# journalctl -b | grep -E '(avc|denied)' -m 10
Jun 30 18:02:59 localhost.localdomain kernel: type=1400 audit(1498845779.769:4): avc:  granted  { setsecparam } for  pid=760 comm="tuned" scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security

Comment 5 errata-xmlrpc 2017-08-02 00:18:52 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2356

Note You need to log in before you can comment on or make changes to this bug.