Description of problem: NetworkManager currently fails to communicate with systemd-resolved over dbus. This prevents the DNS information in systemd-resolved from being properly updated. Version-Release number of selected component (if applicable): NetworkManager-1.8.4-4.fc27.x86_64 systemd-234-8.fc27.x86_64 selinux-policy-3.13.1-283.10.fc27.noarch selinux-policy-targeted-3.13.1-283.10.fc27.noarch How reproducible: Always Steps to Reproduce: 1. Symlink /usr/lib/systemd/resolv.conf to /etc/resolv.conf 2. Restart NetworkManager. It detects the symlink and enables its systemd-resolved functionality. 3. Reconnect to some network. Actual results: NetworkManager prints out an SELinux denial to journald and fails to update systemd-resolved. --- Oct 21 19:06:40 cxl-4270cto NetworkManager[7475]: <warn> [1508627200.3741] dns-sd-resolved[0x7ff294004610]: Failed: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.126" (uid=0 pid=7475 comm="/usr/sbin/NetworkManager --no-daemon " label="system_u:system_r:NetworkManager_t:s0") interface="org.freedesktop.resolve1.Manager" member="SetLinkDomains" error name="(unset)" requested_reply="0" destination=":1.19" (uid=193 pid=1258 comm="/usr/lib/systemd/systemd-resolved " label="system_u:system_r:systemd_resolved_t:s0") --- Expected results: NetworkManager should be able to update systemd-resolved. Additional info: Raw denial: ``` type=USER_AVC msg=audit(10/21/2017 19:06:40.373:374) : pid=1039 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.resolve1.Manager member=SetLinkDomains dest=:1.19 spid=7475 tpid=1258 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:systemd_resolved_t:s0 tclass=dbus permissive=0 exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' ```
selinux-policy-3.13.1-283.13.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-b5e9ce60d2
Thanks for the update! I gave it a try and it seems to be working now. I'm getting another denial for dbus chat between systemd-resolved and systemd-logind. Not sure if related, but it doesn't impact my original issue at least. ``` type=USER_AVC msg=audit(1508936079.082:2257): pid=1039 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.login1.Manager member=PrepareForSleep dest=org.freedesktop.DBus spid=1032 tpid=1258 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:systemd_resolved_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' ```
selinux-policy-3.13.1-283.14.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-b5e9ce60d2
selinux-policy-3.13.1-283.14.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.