Description of problem: SELinux is preventing NetworkManager from 'unlink' accesses on the file resolv.conf. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow NetworkManager to have unlink access on the resolv.conf file Then you need to change the label on resolv.conf Do # semanage fcontext -a -t FILE_TYPE 'resolv.conf' where FILE_TYPE is one of the following: NetworkManager_etc_rw_t, NetworkManager_tmp_t, NetworkManager_var_lib_t, NetworkManager_var_run_t, dhcpc_state_t, dhcpc_var_run_t, dnsmasq_var_run_t, hostname_etc_t, named_cache_t, net_conf_t, pppd_var_run_t, ssh_home_t, systemd_passwd_var_run_t. Then execute: restorecon -v 'resolv.conf' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that NetworkManager should be allowed unlink access on the resolv.conf file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'NetworkManager' --raw | audit2allow -M my-NetworkManager # semodule -X 300 -i my-NetworkManager.pp Additional Information: Source Context system_u:system_r:NetworkManager_t:s0 Target Context system_u:object_r:etc_t:s0 Target Objects resolv.conf [ file ] Source NetworkManager Source Path NetworkManager Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.6-34.fc33.noarch Local Policy RPM selinux-policy-targeted-3.14.6-34.fc33.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.10.16-200.fc33.x86_64 #1 SMP Sun Feb 14 03:02:32 UTC 2021 x86_64 x86_64 Alert Count 2 First Seen 2021-02-22 11:15:13 AST Last Seen 2021-02-25 07:11:38 AST Local ID bd3b5413-bea0-4ea0-817a-21053e8cdf6d Raw Audit Messages type=AVC msg=audit(1614251498.197:1195): avc: denied { unlink } for pid=877 comm="NetworkManager" name="resolv.conf" dev="sda2" ino=631566 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0 Hash: NetworkManager,NetworkManager_t,etc_t,file,unlink Version-Release number of selected component: selinux-policy-targeted-3.14.6-34.fc33.noarch Additional info: component: selinux-policy reporter: libreport-2.14.0 hashmarkername: setroubleshoot kernel: 5.10.17-200.fc33.x86_64 type: libreport Potential duplicate: bug 876757
Needs to be backported from rawhide: commit ae3100448402f39e53e7e2881888fcaa1a5713f5 Author: Ondrej Mosnacek <omosnace> Date: Thu Feb 11 21:35:27 2021 +0100 Label /etc/resolv.conf as net_conf_t even when it's a symlink
FEDORA-2021-e9050fdd5c has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-e9050fdd5c
FEDORA-2021-e9050fdd5c has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-e9050fdd5c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-e9050fdd5c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-e9050fdd5c has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.