Description of problem: Upon undocking the laptop and switching from wired to wireless SELinux is preventing 11-dhclient from 'getattr' accesses on the file /usr/sbin/setfiles. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that 11-dhclient should be allowed getattr access on the setfiles file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '11-dhclient' --raw | audit2allow -M my-11dhclient # semodule -X 300 -i my-11dhclient.pp Additional Information: Source Context system_u:system_r:NetworkManager_t:s0 Target Context system_u:object_r:setfiles_exec_t:s0 Target Objects /usr/sbin/setfiles [ file ] Source 11-dhclient Source Path 11-dhclient Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages policycoreutils-2.9-5.fc31.x86_64 Policy RPM selinux-policy-3.14.4-43.fc31.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.3.16-300.fc31.x86_64 #1 SMP Fri Dec 13 17:59:04 UTC 2019 x86_64 x86_64 Alert Count 44 First Seen 2019-11-21 13:59:49 EST Last Seen 2019-12-31 11:48:41 EST Local ID 6e2e550a-dfc6-4f19-9868-cd409c916bc7 Raw Audit Messages type=AVC msg=audit(1577810921.215:791): avc: denied { getattr } for pid=199096 comm="11-dhclient" path="/usr/sbin/setfiles" dev="dm-1" ino=668502 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file permissive=0 Hash: 11-dhclient,NetworkManager_t,setfiles_exec_t,file,getattr Version-Release number of selected component: selinux-policy-3.14.4-43.fc31.noarch Additional info: component: selinux-policy reporter: libreport-2.11.3 hashmarkername: setroubleshoot kernel: 5.3.16-300.fc31.x86_64 type: libreport
*** Bug 1788213 has been marked as a duplicate of this bug. ***
Hi All, Is there a possibility that NetworkManager executes restorecon somewhere? Thanks, Lukas.
Similar problem has been detected: Seems to happen whenever NetworkManager establishes a new connection. hashmarkername: setroubleshoot kernel: 5.3.16-300.fc31.x86_64 package: selinux-policy-3.14.4-43.fc31.noarch reason: SELinux is preventing 11-dhclient from 'getattr' accesses on the file /usr/sbin/setfiles. type: libreport
> Is there a possibility that NetworkManager executes restorecon somewhere? I don't understand this question. /usr/lib/NetworkManager/dispatcher.d/11-dhclient is provided by dhcp-client package. It's a shell script that sources further files from /etc/dhcp/dhclient.d. NetworkManager has little to do with this script, aside that it gets executed by /usr/libexec/nm-dispatcher (which is `NetworkManager-dispatcher.service` service). Yes, among other that happens "whenever NetworkManager establishes a new connection". what other files are in /etc/dhcp/dhclient.d ?
Similar problem has been detected: Brought laptop out of suspend (by opening the lid); the alert popped up after 10 or 20 seconds. hashmarkername: setroubleshoot kernel: 5.4.8-200.fc31.x86_64 package: selinux-policy-3.14.4-43.fc31.noarch reason: SELinux is preventing 11-dhclient from 'getattr' accesses on the file /usr/sbin/setfiles. type: libreport
Similar problem has been detected: I opened the laptop lid and entered my password; the error came up 10-20 seconds later. hashmarkername: setroubleshoot kernel: 5.4.8-200.fc31.x86_64 package: selinux-policy-3.14.4-43.fc31.noarch reason: SELinux is preventing 11-dhclient from 'getattr' accesses on the file /usr/sbin/setfiles. type: libreport
Raw Audit Messages type=AVC msg=audit(1580569557.278:333): avc: denied { getattr } for pid=62556 comm="11-dhclient" path="/usr/sbin/setfiles" dev="dm-0" ino=25176563 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1580569557.278:333): arch=x86_64 syscall=stat success=no exit=EACCES a0=561cbff9da10 a1=7ffe9a2b1d40 a2=7ffe9a2b1d40 a3=561cbff9eaa0 items=1 ppid=62514 pid=62556 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=11-dhclient exe=/usr/bin/bash subj=system_u:system_r:NetworkManager_t:s0 key=(null) type=CWD msg=audit(1580569557.278:333): cwd=/ type=PATH msg=audit(1580569557.278:333): item=0 name=/sbin/restorecon inode=25176563 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:setfiles_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 Hash: 11-dhclient,NetworkManager_t,setfiles_exec_t,file,getattr
(In reply to Thomas Haller from comment #4) > > Is there a possibility that NetworkManager executes restorecon somewhere? > > I don't understand this question. > > > /usr/lib/NetworkManager/dispatcher.d/11-dhclient is provided by dhcp-client > package. > It's a shell script that sources further files from /etc/dhcp/dhclient.d. > > > NetworkManager has little to do with this script, aside that it gets > executed by /usr/libexec/nm-dispatcher (which is > `NetworkManager-dispatcher.service` service). Yes, among other that happens > "whenever NetworkManager establishes a new connection". > > > what other files are in /etc/dhcp/dhclient.d ? sh-5.0# ls -la /etc/dhcp/dhclient.d total 12 drwxr-xr-x. 2 root root 51 Feb 1 10:34 . drwxr-x---. 3 root root 24 Feb 1 09:47 .. -rwxr-xr-x. 1 root root 421 Jul 24 2019 chrony.sh -rwxr-xr-x. 1 root root 3054 Jul 30 2019 nis.sh -rwxr-xr-x. 1 root root 2231 Jul 26 2019 ntp.sh sh-5.0# grep restorecon /etc/dhcp/dhclient.d/* /etc/dhcp/dhclient.d/nis.sh: if [ -x /sbin/restorecon ]; then /etc/dhcp/dhclient.d/nis.sh: /sbin/restorecon ${1} >/dev/null 2>&1 /etc/dhcp/dhclient.d/nis.sh: # Do not rely on restorecon. /etc/dhcp/dhclient.d/nis.sh: # Try restorecon /etc/dhcp/dhclient.d/ntp.sh: restorecon ${CONF} >/dev/null 2>&1 sh-5.0# head -n 35 /etc/dhcp/dhclient.d/ntp.sh | tail -n 15 # Author(s): David Cantrell <dcantrell> # Miroslav Lichvar <mlichvar> # CONF=/etc/ntp.conf SAVECONF=${SAVEDIR}/${CONF##*/}.predhclient.${interface} ntp_replace_conf() { echo "$1" | diff -q ${CONF} - > /dev/null 2>&1 if [ $? -eq 1 ]; then echo "$1" > ${CONF} restorecon ${CONF} >/dev/null 2>&1 systemctl try-restart ntpd.service > /dev/null 2>&1 || service ntpd condrestart > /dev/null 2>&1 fi sh-5.0# ls -l /usr/sbin/restorecon lrwxrwxrwx. 1 root root 8 Aug 29 04:22 /usr/sbin/restorecon -> setfiles sh-5.0# rpm -qf /etc/dhcp/dhclient.d/nis.sh /etc/dhcp/dhclient.d/ntp.sh ypbind-2.6.1-1.fc31.x86_64 ntp-4.2.8p13-3.fc31.x86_64
Thank you Lukas for help investigate the issue.
A PR has been created to address the issue: https://github.com/fedora-selinux/selinux-policy-contrib/pull/198
PR commented.
commit a7d5d94a79a04575e3fb069e9efd60e74a3fa378 (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Zdenek Pytela <zpytela> Date: Tue Feb 4 16:03:06 2020 +0100 Allow networkmanager_t transition to setfiles_t Resolves: rhbz#1787162
FEDORA-2020-4824687c8c has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-4824687c8c
selinux-policy-3.14.4-46.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-4824687c8c
selinux-policy-3.14.4-46.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.
*** Bug 1775549 has been marked as a duplicate of this bug. ***