1579075 – AVC: systemd-networkd and resolved unable to communicate over dbus

Bug 1579075 - AVC: systemd-networkd and resolved unable to communicate over dbus

Summary: AVC: systemd-networkd and resolved unable to communicate over dbus

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	28
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-05-16 23:16 UTC by Scott Shambarger
Modified:	2018-06-09 20:41 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.14.2-22.fc29 selinux-policy-3.14.1-32.fc28
Clone Of:
Environment:
Last Closed:	2018-06-09 20:41:48 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Scott Shambarger 2018-05-16 23:16:09 UTC

Description of problem:
Setting up a system with systemd-networkd for networking, I receive the following errors in the logs:

# journalctl -u systemd-networkd
...: Could not emit changed OperationalState: Transport endpoint is not connected
...: Not connected to system bus, not setting hostname.

The same services worked correctly in Fedora 27.

It's likely that systemd-hostnamed is also affected, although I don't have it configured on my system.

Version-Release number of selected component (if applicable):
systemd-238-8.git0e0aa59.fc28.x86_64
selinux-policy-3.14.1-24.fc28.noarch

Additional info:
----
time->Wed May 16 15:24:08 2018
type=PROCTITLE msg=audit(1526509448.216:82): proctitle="/usr/lib/systemd/systemd-networkd"
type=PATH msg=audit(1526509448.216:82): item=0 name="/run/dbus/system_bus_socket" inode=22634 dev=00:17 mode=0140666 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:system_dbusd_var_run_t:s0 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1526509448.216:82): cwd="/"
type=SYSCALL msg=audit(1526509448.216:82): arch=c000003e syscall=254 success=no exit=-13 a0=f a1=555fce7fd110 a2=2000d84 a3=7562642f6e75722f items=1 ppid=1 pid=421 auid=4294967295 uid=192 gid=192 euid=192 suid=192 fsuid=192 egid=192 sgid=192 fsgid=192 tty=(none) ses=4294967295 comm="systemd-network" exe="/usr/lib/systemd/systemd-networkd" subj=system_u:system_r:systemd_networkd_t:s0 key=(null)
type=AVC msg=audit(1526509448.216:82): avc:  denied  { read } for  pid=421 comm="systemd-network" name="system_bus_socket" dev="tmpfs" ino=22634 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=0
----
time->Wed May 16 15:24:08 2018
type=PROCTITLE msg=audit(1526509448.223:83): proctitle="/usr/lib/systemd/systemd-resolved"
type=PATH msg=audit(1526509448.223:83): item=0 name="/run/dbus/system_bus_socket" inode=22634 dev=00:17 mode=0140666 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:system_dbusd_var_run_t:s0 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1526509448.223:83): cwd="/"
type=SYSCALL msg=audit(1526509448.223:83): arch=c000003e syscall=254 success=no exit=-13 a0=f a1=55817d0ce9d0 a2=2000d84 a3=7562642f6e75722f items=1 ppid=1 pid=498 auid=4294967295 uid=193 gid=193 euid=193 suid=193 fsuid=193 egid=193 sgid=193 fsgid=193 tty=(none) ses=4294967295 comm="systemd-resolve" exe="/usr/lib/systemd/systemd-resolved" subj=system_u:system_r:systemd_resolved_t:s0 key=(null)
type=AVC msg=audit(1526509448.223:83): avc:  denied  { read } for  pid=498 comm="systemd-resolve" name="system_bus_socket" dev="tmpfs" ino=22634 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=0

I added the following rules and the errors in the logs were resolved (I'm not sure if write access is also required though!):

#============= systemd_networkd_t ==============
allow systemd_networkd_t system_dbusd_var_run_t:dir read;
allow systemd_networkd_t system_dbusd_var_run_t:sock_file read;

#============= systemd_resolved_t ==============
allow systemd_resolved_t system_dbusd_var_run_t:dir read;
allow systemd_resolved_t system_dbusd_var_run_t:sock_file read;

Comment 1 Fedora Update System 2018-06-06 13:36:07 UTC

selinux-policy-3.14.1-32.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-743a9247de

Comment 2 Fedora Update System 2018-06-07 13:16:42 UTC

selinux-policy-3.14.1-32.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-743a9247de

Comment 3 Fedora Update System 2018-06-09 20:41:48 UTC

selinux-policy-3.14.1-32.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.