2053388 – SELinux prevents nm-dispatcher from executing scripts in /usr/lib/NetworkManager/dispatcher.d/ directory

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2053388 - SELinux prevents nm-dispatcher from executing scripts in /usr/lib/NetworkManager/dispatcher.d/ directory

Summary: SELinux prevents nm-dispatcher from executing scripts in /usr/lib/NetworkMana...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.6
Hardware:	All
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	8.7
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Duplicates (3):	2054228 2054291 2054728 (view as bug list)
Depends On:
Blocks:	2008126 2053640
TreeView+	depends on / blocked

Reported:	2022-02-11 07:29 UTC by zguo
Modified:	2022-06-15 21:13 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Clones:	2053640 (view as bug list)
Environment:
Last Closed:	2022-04-29 16:15:52 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1989070	1	medium	CLOSED	Create separate SELinux context for NetworkManager-dispatcher : avc: denied { execute } for comm="nm-dispatcher" name="0...	2022-08-24 09:31:01 UTC
Red Hat Bugzilla	2065940	1	medium	CLOSED	SELinux prevents prevents execution nm-dispatcher to execute script	2022-05-02 19:43:16 UTC
Red Hat Issue Tracker	RHELPLAN-111990	0	None	None	None	2022-02-11 07:51:27 UTC

Internal Links: 2065940

Comment 1 Milos Malik 2022-02-11 08:24:29 UTC

Please find the package which brought the 04-iscsi file:

# rpm -qf /etc/NetworkManager/dispatcher.d/04-iscsi

Thank you.

Comment 4 zguo 2022-02-11 09:18:57 UTC

(In reply to Milos Malik from comment #1)
> Please find the package which brought the 04-iscsi file:
> 
> # rpm -qf /etc/NetworkManager/dispatcher.d/04-iscsi
> 
> Thank you.

$ rpm -qf /usr/lib/NetworkManager/dispatcher.d/04-iscsi
iscsi-initiator-utils-6.2.1.4-4.git095f59c.el8.x86_64

Comment 6 Milos Malik 2022-02-11 11:34:29 UTC

Based on the collected SELinux denials and based on the content of scripts located in the /usr/lib/NetworkManager/dispatcher.d/ directory, the NetworkManager dispatcher wants to run the systemctl and smbcontrol programs.

Comment 8 Zdenek Pytela 2022-02-11 17:40:32 UTC

Permissions for lnk_file are missing even in the upstream policy:
https://github.com/fedora-selinux/selinux-policy/pull/1071

Also note cloud-init brings /etc/NetworkManager/dispatcher.d/cloud-init-azure-hook (rhel8/9) or /etc/NetworkManager/dispatcher.d/hook-network-manager (fedora)

Comment 9 Zdenek Pytela 2022-02-14 16:21:59 UTC

Summary of problems reported in 3 bzs:

1.
type=PROCTITLE msg=audit(02/11/2022 18:24:43.253:327) : proctitle=/usr/libexec/nm-dispatcher 
type=PATH msg=audit(02/11/2022 18:24:43.253:327) : item=0 name=/usr/lib/NetworkManager/dispatcher.d/90-nm-cloud-setup.sh nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/11/2022 18:24:43.253:327) : cwd=/ 
type=SYSCALL msg=audit(02/11/2022 18:24:43.253:327) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x560021c71530 a1=0x7ffd32b94050 a2=0x7ffd32b94050 a3=0x0 items=1 ppid=1 pid=5519 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=nm-dispatcher exe=/usr/libexec/nm-dispatcher subj=system_u:system_r:NetworkManager_dispatcher_t:s0 key=(null) 
type=AVC msg=audit(02/11/2022 18:24:43.253:327) : avc:  denied  { read } for  pid=5519 comm=nm-dispatcher name=90-nm-cloud-setup.sh dev="vda2" ino=8503268 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:NetworkManager_dispatcher_script_t:s0 tclass=lnk_file permissive=0 
2.
type=USER_AVC msg=audit(1644707426.286:1415): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { reload } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/iscsi.service" cmdline="" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:iscsi_unit_file_t:s0 tclass=service permissive=1  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1644707426.286:1416): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/iscsi.service" cmdline="" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:iscsi_unit_file_t:s0 tclass=service permissive=1  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
3.
PROCTITLE msg=audit(02/12/2022 18:10:26.298:1423) : proctitle=/bin/bash /usr/libexec/chrony-helper create-helper-directory
type=SYSCALL msg=audit(02/12/2022 18:10:26.298:1423) : arch=x86_64 syscall=ioctl success=no exit=ENOTTY(Inappropriate ioctl for device) a0=0x5 a1=TCGETS a2=0x7ffc7f2d6280 a3=0x0 items=0 ppid=60967 pid=60970 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chrony-helper exe=/usr/bin/bash subj=system_u:system_r:NetworkManager_dispatcher_t:s0 key=(null)
type=AVC msg=audit(02/12/2022 18:10:26.298:1423) : avc:  denied  { ioctl } for  pid=60970 comm=chrony-helper path=/usr/libexec/chrony-helper dev="sdb5" ino=6979330917 ioctlcmd=TCGETS scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:chronyd_exec_t:s0 tclass=file permissive=1
4.
type=AVC msg=audit(02/12/2022 18:10:26.308:1430) : avc:  denied  { dac_read_search } for  pid=60976 comm=chronyc capability=dac_read_search  scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tclass=capability permissive=1
type=SYSCALL msg=audit(02/12/2022 18:10:26.308:1430) : arch=x86_64 syscall=unlink success=no exit=ENOENT(No such file or directory) a0=0x561e48824140 a1=0x561e46b15dbd a2=0x0 a3=0x0 items=1 ppid=60975 pid=60976 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chronyc exe=/usr/bin/chronyc subj=system_u:system_r:NetworkManager_dispatcher_t:s0 key=(null)
type=CWD msg=audit(02/12/2022 18:10:26.308:1430) : cwd=/
type=PATH msg=audit(02/12/2022 18:10:26.308:1430) : item=0 name=/run/chrony/ inode=33152 dev=00:18 mode=dir,750 ouid=unknown(995) ogid=pipewire rdev=00:00 obj=system_u:object_r:chronyd_var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
5.
type=PROCTITLE msg=audit(02/14/2022 15:43:11.965:31) : proctitle=/bin/sh /usr/lib/NetworkManager/dispatcher.d/04-iscsi none hostname
type=SYSCALL msg=audit(02/14/2022 15:43:11.965:31) : arch=x86_64 syscall=connect success=no exit=ECONNREFUSED(Connection refused) a0=0x4 a1=0x7fff81909930 a2=0x6e a3=0x0 items=0 ppid=1561 pid=1566 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=04-iscsi exe=/usr/bin/bash subj=system_u:system_r:NetworkManager_dispatcher_t:s0 key=(null)

List of plugins:
/etc/NetworkManager/dispatcher.d/cloud-init-azure-hook 
/usr/lib/NetworkManager/dispatcher.d/04-iscsi
/usr/lib/NetworkManager/dispatcher.d/11-dhclient
/usr/lib/NetworkManager/dispatcher.d/20-chrony-dhcp
/usr/lib/NetworkManager/dispatcher.d/20-chrony-onoffline
/usr/lib/NetworkManager/dispatcher.d/30-winbind
/usr/lib/NetworkManager/dispatcher.d/90-nm-cloud-setup.sh
/usr/lib/NetworkManager/dispatcher.d/no-wait.d/90-nm-cloud-setup.sh

Comment 10 Zdenek Pytela 2022-02-14 16:22:15 UTC

*** Bug 2054228 has been marked as a duplicate of this bug. ***

Comment 11 Zdenek Pytela 2022-02-14 16:22:22 UTC

*** Bug 2054291 has been marked as a duplicate of this bug. ***

Comment 12 Zdenek Pytela 2022-02-14 16:23:57 UTC

This one appears in Fedora, but reproducer is not known:
type=USER_AVC msg=audit(02/13/2022 02:04:59.729:5223) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=root uid=root gid=root path=/usr/lib/systemd/system/sendmail.service cmdline="" function="bus_unit_method_start_generic" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=1  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?'

Comment 13 Milos Malik 2022-02-15 15:23:00 UTC

*** Bug 2054728 has been marked as a duplicate of this bug. ***

Comment 14 Den Ivanov 2022-02-16 02:34:38 UTC

After 16 feb Centos Stream 8 upgrade
NetworkManager-dispatcher.service works with errors:
# systemctl status NetworkManager-dispatcher.service
● NetworkManager-dispatcher.service - Network Manager Script Dispatcher Service
   Loaded: loaded (/usr/lib/systemd/system/NetworkManager-dispatcher.service; enabled; vendor preset: enabled)
   Active: inactive (dead)

Feb 16 02:07:22 xxxxx.com nm-dispatcher[905]: req:1 'hostname': find-scripts: Failed to open dispatcher directory '/etc/NetworkManager/dispatcher.d': Error opening directory “/etc/NetworkManager/>
Feb 16 02:07:22 xxxxx.com nm-dispatcher[905]: req:1 'hostname', "/usr/lib/NetworkManager/dispatcher.d/04-iscsi": complete: failed to execute script: Failed to execute child process “/usr/lib/Netw>
Feb 16 02:07:22 xxxxx.com nm-dispatcher[905]: req:2 'connectivity-change': find-scripts: Failed to open dispatcher directory '/etc/NetworkManager/dispatcher.d': Error opening directory “/etc/Netw>
Feb 16 02:07:22 xxxxx.com nm-dispatcher[905]: req:2 'connectivity-change', "/usr/lib/NetworkManager/dispatcher.d/04-iscsi": complete: failed to execute script: Failed to execute child process “/u>
Feb 16 02:07:22 xxxxx.com nm-dispatcher[905]: req:3 'pre-up' [ens3]: find-scripts: Failed to open dispatcher directory '/etc/NetworkManager/dispatcher.d/pre-up.d': Error opening directory “/etc/N>
Feb 16 02:07:22 xxxxx.com nm-dispatcher[905]: req:4 'up' [ens3]: find-scripts: Failed to open dispatcher directory '/etc/NetworkManager/dispatcher.d': Error opening directory “/etc/NetworkManager>
Feb 16 02:07:22 xxxxx.com nm-dispatcher[905]: req:4 'up' [ens3], "/usr/lib/NetworkManager/dispatcher.d/04-iscsi": complete: failed to execute script: Failed to execute child process “/usr/lib/Net>
Feb 16 02:07:22 xxxxx.com nm-dispatcher[905]: req:5 'connectivity-change': find-scripts: Failed to open dispatcher directory '/etc/NetworkManager/dispatcher.d': Error opening directory “/etc/Netw>
Feb 16 02:07:22 xxxxx.com nm-dispatcher[905]: req:5 'connectivity-change', "/usr/lib/NetworkManager/dispatcher.d/04-iscsi": complete: failed to execute script: Failed to execute child process “/u>
Feb 16 02:07:32 xxxxx.com systemd[1]: NetworkManager-dispatcher.service: Succeeded.

Comment 20 Zdenek Pytela 2022-03-01 18:38:59 UTC

This is the list of nm-dispatcher plugins and packages I managed to collect so far:

/etc/NetworkManager/dispatcher.d/11-dhclient
/etc/NetworkManager/dispatcher.d/20-chrony-dhcp
/etc/NetworkManager/dispatcher.d/20-chrony-onoffline
/etc/NetworkManager/dispatcher.d/90-console-login-helper-messages-gensnippet_if
/etc/NetworkManager/dispatcher.d/cloud-init-azure-hook
/etc/NetworkManager/dispatcher.d/hook-network-manager
/usr/lib/NetworkManager/dispatcher.d/04-iscsi
/usr/lib/NetworkManager/dispatcher.d/11-dhclient
/usr/lib/NetworkManager/dispatcher.d/20-chrony-dhcp
/usr/lib/NetworkManager/dispatcher.d/20-chrony-onoffline
/usr/lib/NetworkManager/dispatcher.d/30-winbind
/usr/lib/NetworkManager/dispatcher.d/90-nm-cloud-setup.sh
/usr/lib/NetworkManager/dispatcher.d/no-wait.d/90-nm-cloud-setup.sh

chrony
cloud-init
console-login-helper-messages-issuegen
dhcp-client
iscsi-initiator-utils
NetworkManager-cloud-setup
samba-winbind

Comment 21 Zdenek Pytela 2022-04-29 16:15:52 UTC

Confining nm-dispatcher plugins will not be included in Red Hat Enterprise Linux 8 as there would be a non-negligible risk of regression. We will now close this issue, but if you believe that the decision needs to be reconsidered, feel free to reopen this bug and attach information regarding severity of the bugzilla.

Note You need to log in before you can comment on or make changes to this bug.