On F29 NetworkManager implements a new code for IPv4 address conflict detection (RFC 5227) based on n-acd [1], which uses eBPF to process ARP packets from the network. Currently the SELinux policy forbids this, resulting in the following denials when a connection is activated: Nov 20 14:44:23 fd audit[678]: AVC avc: denied { map_create } for pid=678 comm="NetworkManager" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=bpf permissive=1 Nov 20 14:44:23 fd audit[678]: AVC avc: denied { map_read map_write } for pid=678 comm="NetworkManager" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=bpf permissive=1 Nov 20 14:44:23 fd audit[678]: AVC avc: denied { prog_load } for pid=678 comm="NetworkManager" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=bpf permissive=1 Nov 20 14:44:23 fd audit[678]: AVC avc: denied { prog_run } for pid=678 comm="NetworkManager" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=bpf permissive=1 Please add rules to the policy so that NM is allowed to perform such calls. [1] https://github.com/nettools/n-acd
Ping, any news on this? Those denials prevent ARP announcements on the local network and the proper detection of duplicate IP addresses.
commit 05cd6efc1ad3c2b18f327c0125b8de99cc50ca58 (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Mon Dec 17 19:56:08 2018 +0100 F29 NetworkManager implements a new code for IPv4 address conflict detection (RFC 5227) based on n-acd [1], which uses eBPF to process ARP packets from the network. BZ(1651654) Adding SELinux allow rules to allow activated connections with SELinux in enforcing.
selinux-policy-3.14.2-46.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61
selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6a20cfef61
selinux-policy-3.14.2-46.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.