Description of problem: After upgrading to F31 and installing some updates, this AVC started several times a day on my machine: type=AVC msg=audit(1574062474.663:1881): avc: denied { add_name } for pid=306892 comm="11-dhclient" name="chrony.servers.enp0s31f6" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=dir permissive=0 This one has also appeared, but only once: type=AVC msg=audit(1574062454.554:1852): avc: denied { getattr } for pid=302073 comm="11-dhclient" path="/usr/sbin/setfiles" dev="dm-1" ino=1211904 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file permissive=0 Version-Release number of selected component (if applicable): selinux-policy-3.14.4-40.fc31.noarch How reproducible: Not sure how to reproduce. Likely something specific in my NetworkManager configuration. Steps to Reproduce: <unknown> Actual results: AVCs slowly filling up the log. Expected results: No AVCs. Additional info: I'm running the KDE spin of Fedora if that helps...
*** Bug 1775903 has been marked as a duplicate of this bug. ***
SELinux is preventing 11-dhclient from getattr access on the file /usr/sbin/setfiles. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that 11-dhclient should be allowed getattr access on the setfiles file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '11-dhclient' --raw | audit2allow -M my-11dhclient # semodule -X 300 -i my-11dhclient.pp Additional Information: Source Context system_u:system_r:NetworkManager_t:s0 Target Context system_u:object_r:setfiles_exec_t:s0 Target Objects /usr/sbin/setfiles [ file ] Source 11-dhclient Source Path 11-dhclient Port <Unknown> Host host.example.com Source RPM Packages Target RPM Packages policycoreutils-3.0-0.rc1.1.fc32.x86_64 Policy RPM selinux-policy-3.14.5-16.fc32.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name host.example.com Platform Linux host.example.com 5.4.0-2.fc32.x86_64 #1 SMP Mon Nov 25 22:45:19 UTC 2019 x86_64 x86_64 Alert Count 1 First Seen 2019-11-27 13:00:48 EST Last Seen 2019-11-27 13:00:48 EST Local ID 196d25bf-4b86-484f-b446-313e170b1716 Raw Audit Messages type=AVC msg=audit(1574877648.392:268): avc: denied { getattr } for pid=24969 comm="11-dhclient" path="/usr/sbin/setfiles" dev="dm-0" ino=25724528 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file permissive=0 Hash: 11-dhclient,NetworkManager_t,setfiles_exec_t,file,getattr
I would say it is related to BZ1770698 and BZ1764485
(In reply to Lukas Slebodnik from comment #2) > Raw Audit Messages > type=AVC msg=audit(1574877648.392:268): avc: denied { getattr } for > pid=24969 comm="11-dhclient" path="/usr/sbin/setfiles" dev="dm-0" > ino=25724528 scontext=system_u:system_r:NetworkManager_t:s0 > tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file permissive=0 > I cannot see AVC with selinux-policy-3.14.5-18.fc32.noarch and it is not allowed either sh# sesearch -A -s NetworkManager_t -t setfiles_exec_t -c file allow domain file_type:file map; [ domain_can_mmap_files ]:True
Lukas, The issue was resolved with a transition instead of an allow rule. *** This bug has been marked as a duplicate of bug 1787162 ***
(In reply to Zdenek Pytela from comment #5) > Lukas, > > The issue was resolved with a transition instead of an allow rule. > > *** This bug has been marked as a duplicate of bug 1787162 *** I know https://bugzilla.redhat.com/show_bug.cgi?id=1787162#c8