1715597 – Multiple denials for NetworkManager access to 'nsfs' in Fedora-Rawhide-20190529.n.0

Bug 1715597 - Multiple denials for NetworkManager access to 'nsfs' in Fedora-Rawhide-20190529.n.0

Summary: Multiple denials for NetworkManager access to 'nsfs' in Fedora-Rawhide-201905...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	31
Hardware:	All
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	openqa
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-05-30 18:22 UTC by Adam Williamson
Modified:	2019-10-29 01:27 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.14.4-23.fc31 selinux-policy-3.14.4-39.fc31
Clone Of:
Environment:
Last Closed:	2019-10-29 01:27:50 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Adam Williamson 2019-05-30 18:22:39 UTC

Fedora-Rawhide-20190529.n.0 in openQA testing shows some new SELinux denials after a fresh install and boot. These did not appear in Fedora-Rawhide-20190527.n.0. These are the denials (I booted in permissive mode to check we got *all* the denials):

----
time->Thu May 30 11:15:43 2019
type=AVC msg=audit(1559240143.248:102): avc:  denied  { read } for  pid=854 comm="NetworkManager" dev="nsfs" ino=4026531992 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0
----
time->Thu May 30 11:16:12 2019
type=AVC msg=audit(1559240172.938:88): avc:  denied  { read } for  pid=825 comm="NetworkManager" dev="nsfs" ino=4026531992 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1
----
time->Thu May 30 11:16:12 2019
type=AVC msg=audit(1559240172.938:89): avc:  denied  { open } for  pid=825 comm="NetworkManager" path="net:[4026531992]" dev="nsfs" ino=4026531992 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1

The obvious difference between the two composes is the arrival of selinux-policy-3.14.4-19.fc31, the previous compose had 18.fc31.

I'm not sure what practical effect this has, it doesn't seem to stop the network working at least.

Comment 1 Lukas Vrabec 2019-05-31 08:31:02 UTC

commit 3408b23fc140bfea72d20730b0e0e29d728d580c (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Fri May 31 10:30:48 2019 +0200

    Allow NetworkManager_t domain to read nsfs_t files BZ(1715597)

Comment 2 Ben Cotton 2019-08-13 17:06:15 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to '31'.

Comment 3 Ben Cotton 2019-08-13 19:03:41 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to 31.

Comment 4 Fedora Update System 2019-10-22 19:32:38 UTC

FEDORA-2019-7ef1fde499 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-7ef1fde499

Comment 5 Fedora Update System 2019-10-23 15:44:38 UTC

selinux-policy-3.14.4-38.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-7ef1fde499

Comment 6 Fedora Update System 2019-10-26 16:59:25 UTC

FEDORA-2019-7d65c50fd6 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-7d65c50fd6

Comment 7 Fedora Update System 2019-10-27 04:02:50 UTC

selinux-policy-3.14.4-39.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-7d65c50fd6

Comment 8 Fedora Update System 2019-10-29 01:27:50 UTC

selinux-policy-3.14.4-39.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.