Bug 1750428 - Denied NetworkManager write to /var/tmp/dracut.*/systemd-cat while generating initrd image
Summary: Denied NetworkManager write to /var/tmp/dracut.*/systemd-cat while generating...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 31
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1768951 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-09-09 15:06 UTC by Sanne Raymaekers
Modified: 2020-06-02 11:09 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-06-02 11:09:49 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Sanne Raymaekers 2019-09-09 15:06:40 UTC
journalctl excerpts:
dracut[15203]: Executing: /usr/bin/dracut --quiet --hostonly --hostonly-cmdline --hostonly-i18n --hostonly-mode strict -o "plymouth dash resume ifcfg earlykdump" --add ssh-client --sshkey /root/.ssh/id_rsa --no-hostonly-default-device -f /boot/initramfs-5.3.0-0.rc6.git0.1.fc31.x86_64kdump.img 5.3.0-0.rc6.git0.1.fc31.x86_64

audit: type=1400 audit(*): avc:  denied  { write } for  pid=* comm="NetworkManager" path="/var/tmp/dracut.*/systemd-cat" dev="dm-0" ino=* scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:kdumpctl_tmp_t:s0 tclass=fifo_file permissive=0

Comment 1 Lukas Vrabec 2019-09-12 15:17:03 UTC
Hi Sanne, 

Any idea why NetworkManager is accesing some kdumpctl temp files? 

Thanks,
Lukas.

Comment 2 Sanne Raymaekers 2019-09-16 10:59:07 UTC
While dracut builds a new initramfs image (using /var/tmp as a temporary directory), network-manager is apparently one of the modules that's configured to be included.

The exact command executed is ` /usr/bin/dracut --quiet --hostonly --hostonly-cmdline --hostonly-i18n --hostonly-mode strict -o "plymouth dash resume ifcfg earlykdump" --add ssh-client --sshkey /root/.ssh/id_rsa --no-hostonly-default-device -f /boot/initramfs-5.3.0-0.rc6.git0.1.fc31.x86_64kdump.img 5.3.0-0.rc6.git0.1.fc31.x86_64`

Comment 3 Lukas Vrabec 2019-09-18 20:52:05 UTC
Sanne, 

Do you have some functionality issues on your system because of this SELinux denial? Or system is working just fine and you only see this SELinux denial? 

Thanks,
Lukas.

Comment 4 Sanne Raymaekers 2019-09-23 08:43:49 UTC
Oh no, this is just causing cockpit's kdump test to fail and this pops into the logs, see https://github.com/cockpit-project/cockpit/issues/12744

The rest of the test works fine though so maybe we can just safely ignore this?

Sorry for giving so little context earlier.

Thanks,
Sanne

Comment 5 Lukas Vrabec 2019-09-25 11:38:17 UTC
Hi Sanne, 

I added dontaudit rules: 

commit ddba7c41173f75535894f3ced77f9b0e6618ceac (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Wed Sep 25 13:37:57 2019 +0200

    Dontaudit NetworkManager_t domain to write to kdump temp pipies BZ(1750428)

Comment 6 Fedora Update System 2019-10-04 13:35:29 UTC
FEDORA-2019-64732fd6a5 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-64732fd6a5

Comment 7 Fedora Update System 2019-10-04 22:51:10 UTC
selinux-policy-3.14.4-36.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-64732fd6a5

Comment 8 Fedora Admin XMLRPC Client 2020-01-23 16:24:05 UTC
This package has changed maintainer in the Fedora.
Reassigning to the new maintainer of this component.

Comment 9 Martin Pitt 2020-06-02 11:01:09 UTC
*** Bug 1768951 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.