Description of problem: SELinux is preventing NetworkManager from 'getattr' accesses on the file /var/lib/expressvpn/resolv.conf. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that NetworkManager should be allowed getattr access on the resolv.conf file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'NetworkManager' --raw | audit2allow -M my-NetworkManager # semodule -X 300 -i my-NetworkManager.pp Additional Information: Source Context system_u:system_r:NetworkManager_t:s0 Target Context system_u:object_r:var_lib_t:s0 Target Objects /var/lib/expressvpn/resolv.conf [ file ] Source NetworkManager Source Path NetworkManager Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.17.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.14.8-300.fc27.x86_64 #1 SMP Wed Dec 20 19:00:18 UTC 2017 x86_64 x86_64 Alert Count 23 First Seen 2017-12-22 21:05:38 MSK Last Seen 2017-12-27 21:57:57 MSK Local ID 50e426fa-b983-46b4-99fd-521f72d43abf Raw Audit Messages type=AVC msg=audit(1514401077.266:443): avc: denied { getattr } for pid=964 comm="NetworkManager" path="/var/lib/expressvpn/resolv.conf" dev="sda3" ino=375126 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0 Hash: NetworkManager,NetworkManager_t,var_lib_t,file,getattr Version-Release number of selected component: selinux-policy-3.13.1-283.17.fc27.noarch Additional info: component: selinux-policy reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.14.8-300.fc27.x86_64 type: libreport
Only after viewing my bug in bugzilla, I found out that the report is about '/var/lib/expressvpn/resolv.conf' - while SELinux Troubleshooter mentions it as 'resolv.conf' everywhere.
I am experiencing the same problem maifesting from the following Source Process: NetworkManager, chronyd, sssd, mktemp, sssd_be, dnsmasq, geoclue. The following are the details from SELinux Alert Browser for NetworkManager it also involves /var/lib/expressvpn/resolv.conf SELinux is preventing NetworkManager from getattr access on the file /var/lib/expressvpn/resolv.conf. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that NetworkManager should be allowed getattr access on the resolv.conf file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'NetworkManager' --raw | audit2allow -M my-NetworkManager # semodule -X 300 -i my-NetworkManager.pp Additional Information: Source Context system_u:system_r:NetworkManager_t:s0 Target Context system_u:object_r:var_lib_t:s0 Target Objects /var/lib/expressvpn/resolv.conf [ file ] Source NetworkManager Source Path NetworkManager Port <Unknown> Host Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.21.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name gazp9.local.net Platform Linux 4.14.14-300.fc27.x86_64 #1 SMP Fri Jan 19 13:19:54 UTC 2018 x86_64 x86_64 Alert Count 136 First Seen 2018-01-11 15:04:19 EST Last Seen 2018-01-31 20:20:14 EST Local ID Raw Audit Messages type=AVC msg=audit(1517448014.586:1279): avc: denied { getattr } for pid=1265 comm="NetworkManager" path="/var/lib/expressvpn/resolv.conf" dev="dm-0" ino=139417870 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0 Hash: NetworkManager,NetworkManager_t,var_lib_t,file,getattr
Description of problem: I'm not sure what the cause is. I installed Fedora 27 from a USB live image (...I didn't verify the checksum, hence my slight concern -- I'll never do that again!). I've been getting SELinux security alerts (AVC denial) several times a day, mostly NetworkManager making a read or getattr request to resolv.conf. Because I don't understand it, I don't just want to grant access (even though from what I've read it seems pretty inocuous). I've been using VLC, Google Chrome, and ExpressVPN mostly. Not sure if any of that software is related to the problem. Thanks. Version-Release number of selected component: selinux-policy-3.13.1-283.24.fc27.noarch Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.14.18-300.fc27.x86_64 type: libreport
Are you able to predocue it with the latest selinux-policy package? THanks, Lukas.
Found active bugs with same issue. https://bugzilla.redhat.com/show_bug.cgi?id=1545932 https://bugzilla.redhat.com/show_bug.cgi?id=1539180 (similar but also deals with resolv.conf) Upgraded to selinux-policy-3.13.1-283.26.fc27.src.rpm but issue still manifests with NetworkManager and chronyd appering the most in the SETroubleshoot Alert List.
(In reply to Lukas Vrabec from comment #4) > Are you able to predocue it with the latest selinux-policy package? > > THanks, > Lukas. Hello Lukas, what do you mean by 'predocue' I'm a relatively new user but I'm willing to help with anything I can to resolve issue.
No, I can't reproduce the problem, thanks!
*** Bug 1647439 has been marked as a duplicate of this bug. ***
Description of problem: Connect to any host using expressvpn and it appears Version-Release number of selected component: selinux-policy-3.14.2-48.fc29.noarch Additional info: reporter: libreport-2.10.0 hashmarkername: setroubleshoot kernel: 4.20.6-200.fc29.x86_64 type: libreport