Bug 1750428 - Denied NetworkManager write to /var/tmp/dracut.*/systemd-cat while generating initrd image
Summary: Denied NetworkManager write to /var/tmp/dracut.*/systemd-cat while generating...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 31
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
: 1768951 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2019-09-09 15:06 UTC by Sanne Raymaekers
Modified: 2020-06-02 11:09 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-06-02 11:09:49 UTC
Type: Bug

Attachments (Terms of Use)

Description Sanne Raymaekers 2019-09-09 15:06:40 UTC
journalctl excerpts:
dracut[15203]: Executing: /usr/bin/dracut --quiet --hostonly --hostonly-cmdline --hostonly-i18n --hostonly-mode strict -o "plymouth dash resume ifcfg earlykdump" --add ssh-client --sshkey /root/.ssh/id_rsa --no-hostonly-default-device -f /boot/initramfs-5.3.0-0.rc6.git0.1.fc31.x86_64kdump.img 5.3.0-0.rc6.git0.1.fc31.x86_64

audit: type=1400 audit(*): avc:  denied  { write } for  pid=* comm="NetworkManager" path="/var/tmp/dracut.*/systemd-cat" dev="dm-0" ino=* scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:kdumpctl_tmp_t:s0 tclass=fifo_file permissive=0

Comment 1 Lukas Vrabec 2019-09-12 15:17:03 UTC
Hi Sanne, 

Any idea why NetworkManager is accesing some kdumpctl temp files? 


Comment 2 Sanne Raymaekers 2019-09-16 10:59:07 UTC
While dracut builds a new initramfs image (using /var/tmp as a temporary directory), network-manager is apparently one of the modules that's configured to be included.

The exact command executed is ` /usr/bin/dracut --quiet --hostonly --hostonly-cmdline --hostonly-i18n --hostonly-mode strict -o "plymouth dash resume ifcfg earlykdump" --add ssh-client --sshkey /root/.ssh/id_rsa --no-hostonly-default-device -f /boot/initramfs-5.3.0-0.rc6.git0.1.fc31.x86_64kdump.img 5.3.0-0.rc6.git0.1.fc31.x86_64`

Comment 3 Lukas Vrabec 2019-09-18 20:52:05 UTC

Do you have some functionality issues on your system because of this SELinux denial? Or system is working just fine and you only see this SELinux denial? 


Comment 4 Sanne Raymaekers 2019-09-23 08:43:49 UTC
Oh no, this is just causing cockpit's kdump test to fail and this pops into the logs, see https://github.com/cockpit-project/cockpit/issues/12744

The rest of the test works fine though so maybe we can just safely ignore this?

Sorry for giving so little context earlier.


Comment 5 Lukas Vrabec 2019-09-25 11:38:17 UTC
Hi Sanne, 

I added dontaudit rules: 

commit ddba7c41173f75535894f3ced77f9b0e6618ceac (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Wed Sep 25 13:37:57 2019 +0200

    Dontaudit NetworkManager_t domain to write to kdump temp pipies BZ(1750428)

Comment 6 Fedora Update System 2019-10-04 13:35:29 UTC
FEDORA-2019-64732fd6a5 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-64732fd6a5

Comment 7 Fedora Update System 2019-10-04 22:51:10 UTC
selinux-policy-3.14.4-36.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-64732fd6a5

Comment 8 Fedora Admin XMLRPC Client 2020-01-23 16:24:05 UTC
This package has changed maintainer in the Fedora.
Reassigning to the new maintainer of this component.

Comment 9 Martin Pitt 2020-06-02 11:01:09 UTC
*** Bug 1768951 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.