Description of problem: NetworkManager is unable to restart dhcpd -- denied by SELinux. Occurs on every interface up event. Both dhcpd and dhcpd6 services are affected. The issue started right after upgrading the system to Fedora 31 and occurs on 100% of interface events. SELinux is preventing systemctl from 'getattr' accesses on the file /usr/lib/systemd/system/dhcpd6.service. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemctl should be allowed getattr access on the dhcpd6.service file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemctl' --raw | audit2allow -M my-systemctl # semodule -X 300 -i my-systemctl.pp Additional Information: Source Context system_u:system_r:NetworkManager_t:s0 Target Context system_u:object_r:dhcpd_unit_file_t:s0 Target Objects /usr/lib/systemd/system/dhcpd6.service [ file ] Source systemctl Source Path systemctl Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages dhcp-server-4.4.1-19.fc31.x86_64 SELinux Policy RPM selinux-policy-3.14.4-49.fc31.noarch Local Policy RPM selinux-policy-targeted-3.14.4-49.fc31.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.5.10-200.fc31.x86_64 #1 SMP Wed Mar 18 14:21:38 UTC 2020 x86_64 x86_64 Alert Count 38 First Seen 2020-03-25 10:37:27 MSK Last Seen 2020-03-29 01:21:08 MSK Local ID 3043c747-89ca-4d85-ba87-05b93f44bb68 Raw Audit Messages type=AVC msg=audit(1585434068.11:293): avc: denied { getattr } for pid=2821 comm="systemctl" path="/usr/lib/systemd/system/dhcpd6.service" dev="dm-0" ino=2350180 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:dhcpd_unit_file_t:s0 tclass=file permissive=0 Hash: systemctl,NetworkManager_t,dhcpd_unit_file_t,file,getattr Version-Release number of selected component: selinux-policy-3.14.4-49.fc31.noarch Additional info: component: selinux-policy reporter: libreport-2.12.0 hashmarkername: setroubleshoot kernel: 5.5.10-200.fc31.x86_64 type: libreport
I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy-contrib/pull/228
commit d5da0422ebc96d5acbe912aa8d5c3bc8a1ace015 (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Zdenek Pytela <zpytela> Date: Mon Mar 30 08:39:24 2020 +0200 Allow NetworkManager manage dhcpd unit files Resolves: rhbz#1818528
FEDORA-2020-6d33cc238c has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-6d33cc238c
FEDORA-2020-6d33cc238c has been pushed to the Fedora 31 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-6d33cc238c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-6d33cc238c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2020-6d33cc238c has been pushed to the Fedora 31 stable repository. If problem still persists, please make note of it in this bug report.