Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1462976

Summary: SELinux denies 'execute' for /usr/libexec/nm-dispatcher on boot after install from Atomic Host installer image
Product: Red Hat Enterprise Linux 7 Reporter: Micah Abbott <miabbott>
Component: ostreeAssignee: Colin Walters <walters>
Status: CLOSED ERRATA QA Contact: atomic-bugs <atomic-bugs>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.4CC: dominick.grift, dustymabe, dwalsh, extras-qa, jlebon, lvrabec, mgrepl, miabbott, plautrba, pmoore, ssekidde, walters
Target Milestone: rcKeywords: Extras
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1461978 Environment:
Last Closed: 2017-08-02 00:18:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1461978    
Bug Blocks:    

Description Micah Abbott 2017-06-19 19:22:11 UTC 
This appears to affect RHELAH 7.4 as well.

Similar behavior seen when booting cloud image corresponding to RHELAH 7.4 ostree commit 0b62181fb3.


# journalctl -b | grep -E '(avc|denied)' -m 10
Jun 19 19:10:44 localhost.localdomain kernel: type=1400 audit(1497899444.614:4): avc:  denied  { unlink } for  pid=600 comm="systemd-hwdb" name="hwdb.bin" dev="dm-0" ino=5082899 scontext=system_u:system_r:systemd_hwdb_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
Jun 19 19:10:46 localhost.localdomain kernel: type=1400 audit(1497899446.893:5): avc:  denied  { execute } for  pid=737 comm="NetworkManager" name="00-netreport" dev="dm-0" ino=5081637 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:NetworkManager_etc_t:s0 tclass=file
Jun 19 19:10:46 localhost.localdomain kernel: type=1400 audit(1497899446.906:6): avc:  denied  { execute } for  pid=737 comm="NetworkManager" name="04-iscsi" dev="dm-0" ino=5081638 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:NetworkManager_etc_t:s0 tclass=file
Jun 19 19:10:46 localhost.localdomain kernel: type=1400 audit(1497899446.917:7): avc:  denied  { execute } for  pid=737 comm="NetworkManager" name="11-dhclient" dev="dm-0" ino=5081639 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:NetworkManager_etc_t:s0 tclass=file
Jun 19 19:10:46 localhost.localdomain kernel: type=1400 audit(1497899446.940:8): avc:  denied  { execute } for  pid=737 comm="NetworkManager" name="20-chrony" dev="dm-0" ino=5081640 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:NetworkManager_etc_t:s0 tclass=file
Jun 19 19:10:46 localhost.localdomain kernel: type=1400 audit(1497899446.952:9): avc:  denied  { execute } for  pid=737 comm="NetworkManager" name="cloud-init-azure-hook" dev="dm-0" ino=5081641 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:NetworkManager_etc_t:s0 tclass=file
Jun 19 19:10:47 localhost.localdomain kernel: type=1400 audit(1497899447.126:10): avc:  denied  { execute } for  pid=774 comm="nm-dispatcher" name="00-netreport" dev="dm-0" ino=5081637 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:NetworkManager_etc_t:s0 tclass=file
Jun 19 19:10:47 localhost.localdomain nm-dispatcher[769]: req:1 'hostname', "/etc/NetworkManager/dispatcher.d/00-netreport": complete: failed to execute script: Failed to execute child process "/etc/NetworkManager/dispatcher.d/00-netreport" (Permission denied)
Jun 19 19:10:47 localhost.localdomain nm-dispatcher[769]: req:1 'hostname', "/etc/NetworkManager/dispatcher.d/04-iscsi": complete: failed to execute script: Failed to execute child process "/etc/NetworkManager/dispatcher.d/04-iscsi" (Permission denied)
Jun 19 19:10:47 localhost.localdomain nm-dispatcher[769]: req:1 'hostname', "/etc/NetworkManager/dispatcher.d/11-dhclient": complete: failed to execute script: Failed to execute child process "/etc/NetworkManager/dispatcher.d/11-dhclient" (Permission denied)



+++ This bug was initially created as a clone of Bug #1461978 +++

The openQA default-install-and-boot test for the Atomic Host installer image is showing several instances of one SELinux denial immediately after boot:

type=AVC msg=audit(1497548408.952:169): avc: denied { execute } for pid=998 comm="nm-dispatcher" name="10-ifcfg-rh-routes.sh" dev="dm-0" ino=28911 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:NetworkManager_etc_t:s0 tclass=file permissive=0

with each occurrence the pid of the nm-dispatcher process changes, so it seems like perhaps this denial causes the operation (whatever exactly nm-dispatcher is doing, I'm not sure) to fail and then it is immediately retried, hits the denial, and fails again. This doesn't seem to prevent networking from working.

This seems to have started happening between Fedora-26-20170605.n.0 (which would have been effectively identical to Beta) and Fedora-26-20170611.n.1 (which was the first successful post-Beta-freeze compose, with all the packages queued for stable during the Beta freeze included).

--- Additional comment from Dusty Mabe on 2017-06-15 15:40 EDT ---



--- Additional comment from Dusty Mabe on 2017-06-15 15:50:38 EDT ---

The denials in that attachment are from an atomic host vagrant box (i.e. not just the installer, but the installed system).

--- Additional comment from Dusty Mabe on 2017-06-15 16:11:25 EDT ---

[root@vanilla-f26atomic ~]# rpm-ostree status
State: idle
Deployments:
● fedora-atomic:fedora/26/x86_64/atomic-host
             Version: 26.59 (2017-06-12 02:00:29)
              Commit: 95283eba36118de8b065ca29c079760cc82394e0128aadf8f32bb867454b64fb
[root@vanilla-f26atomic ~]# 
[root@vanilla-f26atomic ~]# 
[root@vanilla-f26atomic ~]# rpm -q selinux-policy 
selinux-policy-3.13.1-254.fc26.noarch
[root@vanilla-f26atomic ~]# rpm -q kernel
kernel-4.11.0-2.fc26.x86_64
[root@vanilla-f26atomic ~]# rpm -q NetworkManager
NetworkManager-1.8.0-4.fc26.x86_64

--- Additional comment from Dusty Mabe on 2017-06-15 16:14:10 EDT ---

also seeing on a host with newer versions:

```
[root@f26-updates-testing ~]# rpm -q selinux-policy NetworkManager kernel
selinux-policy-3.13.1-257.fc26.noarch
NetworkManager-1.8.0-5.fc26.x86_64
kernel-4.11.4-300.fc26.x86_64
```

--- Additional comment from Daniel Walsh on 2017-06-15 17:40:23 EDT ---

Looks like 10-ifcfg-rh-routes.sh has the wrong type on it, it is labeled as a netoworkmanager config file instead of an executable.

--- Additional comment from Daniel Walsh on 2017-06-16 05:52:48 EDT ---

What is the path to 10-ifcfg-rh-routes.sh

matchpathcon /etc/NetworkManager/dispatcher.d/10-ifcfg-rh-routes.sh
/etc/NetworkManager/dispatcher.d/10-ifcfg-rh-routes.sh	system_u:object_r:NetworkManager_initrc_exec_t:s0

restorecon -R -v /etc/NetworkManager

Should fix the label.

--- Additional comment from Dusty Mabe on 2017-06-16 09:18:09 EDT ---





```
[root@vanilla-f26atomic ~]# ls -lZ /etc/NetworkManager/dispatcher.d/*
-rwxr-xr-x. 1 root root system_u:object_r:NetworkManager_etc_t:s0  175 Jun 12 02:37 /etc/NetworkManager/dispatcher.d/00-netreport
-rwxr-xr-x. 1 root root system_u:object_r:NetworkManager_etc_t:s0  100 Jun 12 02:37 /etc/NetworkManager/dispatcher.d/04-iscsi
-rwxr-xr-x. 1 root root system_u:object_r:NetworkManager_etc_t:s0 1056 Jun 12 02:37 /etc/NetworkManager/dispatcher.d/10-ifcfg-rh-routes.sh
-rwxr-xr-x. 1 root root system_u:object_r:NetworkManager_etc_t:s0  933 Jun 12 02:37 /etc/NetworkManager/dispatcher.d/11-dhclient
-rwxr-xr-x. 1 root root system_u:object_r:NetworkManager_etc_t:s0  436 Jun 12 02:37 /etc/NetworkManager/dispatcher.d/20-chrony
-rwxr-xr-x. 1 root root system_u:object_r:NetworkManager_etc_t:s0  719 Jun 12 02:37 /etc/NetworkManager/dispatcher.d/hook-network-manager

/etc/NetworkManager/dispatcher.d/no-wait.d:
total 0
lrwxrwxrwx. 1 root root system_u:object_r:NetworkManager_etc_t:s0 24 Jun 12 02:37 10-ifcfg-rh-routes.sh -> ../10-ifcfg-rh-routes.sh

/etc/NetworkManager/dispatcher.d/pre-down.d:
total 0

/etc/NetworkManager/dispatcher.d/pre-up.d:
total 0
lrwxrwxrwx. 1 root root system_u:object_r:NetworkManager_etc_t:s0 34 Jun 12 02:37 10-ifcfg-rh-routes.sh -> ../no-wait.d/10-ifcfg-rh-routes.sh

[root@vanilla-f26atomic ~]# ls -lZ /etc/NetworkManager/dispatcher.d/10-ifcfg-rh-routes.sh 
-rwxr-xr-x. 1 root root system_u:object_r:NetworkManager_etc_t:s0 1056 Jun 12 02:37 /etc/NetworkManager/dispatcher.d/10-ifcfg-rh-routes.sh
```

--- Additional comment from Daniel Walsh on 2017-06-16 09:22:29 EDT ---

Did restorecon fix the labels?

--- Additional comment from Dusty Mabe on 2017-06-16 09:28:22 EDT ---



```
[root@vanilla-f26atomic ~]# restorecon -R -v /etc/NetworkManager 
Relabeled /etc/NetworkManager/dispatcher.d from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/00-netreport from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/04-iscsi from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/10-ifcfg-rh-routes.sh from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/11-dhclient from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/20-chrony from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/hook-network-manager from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/no-wait.d from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/no-wait.d/10-ifcfg-rh-routes.sh from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/pre-down.d from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/pre-up.d from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/dispatcher.d/pre-up.d/10-ifcfg-rh-routes.sh from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_initrc_exec_t:s0
Relabeled /etc/NetworkManager/system-connections from system_u:object_r:NetworkManager_etc_t:s0 to system_u:object_r:NetworkManager_etc_rw_t:s0
```

--- Additional comment from Colin Walters on 2017-06-16 09:39:37 EDT ---

This might be a regression from https://github.com/ostreedev/ostree/pull/797

`restorecon -nvR /etc/`

shows a lot of diffs.

--- Additional comment from Colin Walters on 2017-06-16 09:48:01 EDT ---

This reproduces in F25AH too, starting from:

```
  fedora-atomic:fedora-atomic/25/x86_64/docker-host
             Version: 25.137 (2017-06-04 23:31:40)
              Commit: 0ed61d7441eddf96e6a98de4f10f4675268c7888b6d2b8a405b8c21fe6c92d23
```

Then

```
$ rpm-ostree deploy 25.136
$ systemctl reboot
...
$ restorecon -nvR /etc
```

--- Additional comment from Dusty Mabe on 2017-06-16 09:51:45 EDT ---

is there a specific test we can add for this to the atomic-host-tests suite?

--- Additional comment from Colin Walters on 2017-06-16 11:03:58 EDT ---

https://github.com/ostreedev/ostree/pull/936

There's an installed test case there - which gets back to https://github.com/projectatomic/atomic-host-tests/issues/74

--- Additional comment from Fedora Update System on 2017-06-19 14:21:27 EDT ---

ostree-2017.7-2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-7b464a11e7
Comment 3 Micah Abbott 2017-06-30 18:05:03 UTC 
This is VERIFIED fixed in ostree-2017.7-1.el7.x86_64

# rpm-ostree status
State: idle
Deployments:
● rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
                Version: 7.4.0 (2017-06-27 16:55:35)
                 Commit: 13b30690b7573d0749bf15d0e60394a5ee939a70f5272f4982fa29209042e7ad

# rpm -q ostree
ostree-2017.7-1.el7.x86_64

# journalctl -b | grep -E '(avc|denied)' -m 10
Jun 30 18:02:59 localhost.localdomain kernel: type=1400 audit(1498845779.769:4): avc:  granted  { setsecparam } for  pid=760 comm="tuned" scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security
Comment 5 errata-xmlrpc 2017-08-02 00:18:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2356