Bug 1818528 - SELinux is preventing systemctl from 'getattr' accesses on the file /usr/lib/systemd/system/dhcpd6.service.
Summary: SELinux is preventing systemctl from 'getattr' accesses on the file /usr/lib/...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 31
Hardware: x86_64
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:20fb36b6d099ea5cf78036bc573...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-03-28 22:58 UTC by saw-bgzlrhat@sawoct.com
Modified: 2020-06-05 02:40 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.14.4-52.fc31
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-06-05 02:40:01 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description saw-bgzlrhat@sawoct.com 2020-03-28 22:58:24 UTC
Description of problem:
NetworkManager is unable to restart dhcpd -- denied by SELinux.
Occurs on every interface up event.
Both dhcpd and dhcpd6 services are affected.

The issue started right after upgrading the system to Fedora 31 and occurs on 100% of interface events.
SELinux is preventing systemctl from 'getattr' accesses on the file /usr/lib/systemd/system/dhcpd6.service.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemctl should be allowed getattr access on the dhcpd6.service file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemctl' --raw | audit2allow -M my-systemctl
# semodule -X 300 -i my-systemctl.pp

Additional Information:
Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:dhcpd_unit_file_t:s0
Target Objects                /usr/lib/systemd/system/dhcpd6.service [ file ]
Source                        systemctl
Source Path                   systemctl
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           dhcp-server-4.4.1-19.fc31.x86_64
SELinux Policy RPM            selinux-policy-3.14.4-49.fc31.noarch
Local Policy RPM              selinux-policy-targeted-3.14.4-49.fc31.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.5.10-200.fc31.x86_64 #1 SMP Wed
                              Mar 18 14:21:38 UTC 2020 x86_64 x86_64
Alert Count                   38
First Seen                    2020-03-25 10:37:27 MSK
Last Seen                     2020-03-29 01:21:08 MSK
Local ID                      3043c747-89ca-4d85-ba87-05b93f44bb68

Raw Audit Messages
type=AVC msg=audit(1585434068.11:293): avc:  denied  { getattr } for  pid=2821 comm="systemctl" path="/usr/lib/systemd/system/dhcpd6.service" dev="dm-0" ino=2350180 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:dhcpd_unit_file_t:s0 tclass=file permissive=0


Hash: systemctl,NetworkManager_t,dhcpd_unit_file_t,file,getattr

Version-Release number of selected component:
selinux-policy-3.14.4-49.fc31.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.12.0
hashmarkername: setroubleshoot
kernel:         5.5.10-200.fc31.x86_64
type:           libreport

Comment 1 Zdenek Pytela 2020-03-30 07:13:33 UTC
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy-contrib/pull/228

Comment 2 Lukas Vrabec 2020-03-30 07:50:41 UTC
commit d5da0422ebc96d5acbe912aa8d5c3bc8a1ace015 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Zdenek Pytela <zpytela>
Date:   Mon Mar 30 08:39:24 2020 +0200

    Allow NetworkManager manage dhcpd unit files
    
    Resolves: rhbz#1818528

Comment 3 Fedora Update System 2020-05-20 13:47:38 UTC
FEDORA-2020-6d33cc238c has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-6d33cc238c

Comment 4 Fedora Update System 2020-05-21 04:16:17 UTC
FEDORA-2020-6d33cc238c has been pushed to the Fedora 31 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-6d33cc238c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-6d33cc238c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 5 Fedora Update System 2020-06-05 02:40:01 UTC
FEDORA-2020-6d33cc238c has been pushed to the Fedora 31 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.