Description of problem: NetworkManager dispatcher scripts put in /etc/NetworkManager/dispatcher.d/* are not executed upon connectivity changes. There are "permission denied" errors in the journal but no AVC denials. Version-Release number of selected component (if applicable): NetworkManager-1.36.4-1.fc36.x86_64 How reproducible: Always Steps to Reproduce: 1. put a script in /etc/NetworkManager/dispatcher.d/pre-up.d/ 2. nmcli c down aconnection ; nmcli c up aconnection 3. journalctl --no-hostname -u NetworkManager-dispatcher | tail Actual results: Mar 30 12:54:39 systemd[1]: Starting NetworkManager-dispatcher.service - Network Manager Script Dispatcher Service... Mar 30 12:54:39 systemd[1]: Started NetworkManager-dispatcher.service - Network Manager Script Dispatcher Service. Mar 30 12:54:39 nm-dispatcher[11916]: req:1 'pre-down' [wlp0s20f3]: find-scripts: Failed to open dispatcher directory '/etc/NetworkManager/dispatcher.d/pre-down.d': Error opening directory “/etc/NetworkManager/dispatcher.d/pre-down.d”: Permission denied Mar 30 12:54:39 nm-dispatcher[11916]: req:2 'connectivity-change': find-scripts: Failed to open dispatcher directory '/etc/NetworkManager/dispatcher.d': Error opening directory “/etc/NetworkManager/dispatcher.d”: Permission denied Mar 30 12:54:39 nm-dispatcher[11916]: req:3 'down' [wlp0s20f3]: find-scripts: Failed to open dispatcher directory '/etc/NetworkManager/dispatcher.d': Error opening directory “/etc/NetworkManager/dispatcher.d”: Permission denied Mar 30 12:54:42 nm-dispatcher[11916]: req:4 'dhcp4-change' [wlp0s20f3]: find-scripts: Failed to open dispatcher directory '/etc/NetworkManager/dispatcher.d': Error opening directory “/etc/NetworkManager/dispatcher.d”: Permission denied Mar 30 12:54:42 nm-dispatcher[11916]: req:5 'pre-up' [wlp0s20f3]: find-scripts: Failed to open dispatcher directory '/etc/NetworkManager/dispatcher.d/pre-up.d': Error opening directory “/etc/NetworkManager/dispatcher.d/pre-up.d”: Permission denied Mar 30 12:54:42 nm-dispatcher[11916]: req:6 'up' [wlp0s20f3]: find-scripts: Failed to open dispatcher directory '/etc/NetworkManager/dispatcher.d': Error opening directory “/etc/NetworkManager/dispatcher.d”: Permission denied Mar 30 12:54:42 nm-dispatcher[11916]: req:7 'connectivity-change': find-scripts: Failed to open dispatcher directory '/etc/NetworkManager/dispatcher.d': Error opening directory “/etc/NetworkManager/dispatcher.d”: Permission denied Mar 30 12:54:52 systemd[1]: NetworkManager-dispatcher.service: Deactivated successfully. Expected results: Scripts get executed without errors. Additional info: ls -lZ /etc/NetworkManager/dispatcher.d/pre-up.d/ total 4 -rwxrwxrwx. 584 root root unconfined_u:object_r:NetworkManager_dispatcher_script_t:s0 14 Mar 30 12:48 example-script Example script: #!/bin/bash if [[ "$2" == "pre-up" ]]; then ip route add 10.0.0.0/24 via $IP4_GATEWAY dev $DEVICE_IP_IFACE fi
Yeah, it's strange that no avc denial are printed, because disabling SELinux restores the functionality of dispatcher scripts. Reassigning to SELinux policy for investigation. Possibly related: https://github.com/fedora-selinux/selinux-policy/pull/977
It's a dup of bz2065940, but I still struggle with a full reproducer. *** This bug has been marked as a duplicate of bug 2065940 ***
(In reply to Zdenek Pytela from comment #2) > It's a dup of bz2065940, but I still struggle with a full reproducer. I can reproduce very easily by just booting a rawhide or F36 VM. I'm using vagrant (see https://bugzilla.redhat.com/show_bug.cgi?id=2065940#c8), but it should happen anywhere.
(In reply to Dusty Mabe from comment #3) > (In reply to Zdenek Pytela from comment #2) > > It's a dup of bz2065940, but I still struggle with a full reproducer. > > I can reproduce very easily by just booting a rawhide or F36 VM. I'm using > vagrant (see https://bugzilla.redhat.com/show_bug.cgi?id=2065940#c8), but it > should happen anywhere. I fired a few dozens of vms (F36 and rawhide) in the past few weeks and what I could reproduce is already in the policy. I still cannot see the last reported problems. I need either reproducing steps or audit records with full auditing.
Maybe we're talking past each other a bit and not fully understanding.. When I say I can reproduce I mean exactly this (from a just booted Fedora 36 beta vagrant box): ``` [dustymabe@media f36beta]$ vagrant up Bringing machine 'vanilla-f36-beta' up with 'libvirt' provider... ==> vanilla-f36-beta: Checking if box 'fedora/36-beta-cloud-base' version '36.20220328.0' is up to date... ==> vanilla-f36-beta: Creating image (snapshot of base box volume). ==> vanilla-f36-beta: Creating domain with the following settings... ==> vanilla-f36-beta: -- Name: f36beta_vanilla-f36-beta ==> vanilla-f36-beta: -- Domain type: kvm ==> vanilla-f36-beta: -- Cpus: 4 ==> vanilla-f36-beta: -- Feature: acpi ==> vanilla-f36-beta: -- Feature: apic ==> vanilla-f36-beta: -- Feature: pae ==> vanilla-f36-beta: -- Clock offset: utc ==> vanilla-f36-beta: -- Memory: 4096M ==> vanilla-f36-beta: -- Management MAC: ==> vanilla-f36-beta: -- Loader: ==> vanilla-f36-beta: -- Nvram: ==> vanilla-f36-beta: -- Base box: fedora/36-beta-cloud-base ==> vanilla-f36-beta: -- Storage pool: default ==> vanilla-f36-beta: -- Image: /home/dustymabe/.local/share/libvirt/images/f36beta_vanilla-f36-beta.img (41G) ==> vanilla-f36-beta: -- Disk driver opts: cache='default' ==> vanilla-f36-beta: -- Kernel: ==> vanilla-f36-beta: -- Initrd: ==> vanilla-f36-beta: -- Graphics Type: vnc ==> vanilla-f36-beta: -- Graphics Port: -1 ==> vanilla-f36-beta: -- Graphics IP: 127.0.0.1 ==> vanilla-f36-beta: -- Graphics Password: Not defined ==> vanilla-f36-beta: -- Video Type: cirrus ==> vanilla-f36-beta: -- Video VRAM: 9216 ==> vanilla-f36-beta: -- Sound Type: ==> vanilla-f36-beta: -- Keymap: en-us ==> vanilla-f36-beta: -- TPM Backend: passthrough ==> vanilla-f36-beta: -- TPM Path: ==> vanilla-f36-beta: -- INPUT: type=mouse, bus=ps2 ==> vanilla-f36-beta: Creating shared folders metadata... ==> vanilla-f36-beta: Starting domain. ==> vanilla-f36-beta: Waiting for domain to get an IP address... ==> vanilla-f36-beta: Waiting for SSH to become available... vanilla-f36-beta: vanilla-f36-beta: Vagrant insecure key detected. Vagrant will automatically replace vanilla-f36-beta: this with a newly generated keypair for better security. vanilla-f36-beta: vanilla-f36-beta: Inserting generated public key within guest... vanilla-f36-beta: Removing insecure key from the guest if it's present... vanilla-f36-beta: Key inserted! Disconnecting and reconnecting using new SSH key... ==> vanilla-f36-beta: Setting hostname... ==> vanilla-f36-beta: Rsyncing folder: /var/b/shared/code/github.com/dustymabe/vagrantdirs/vanilla/f36beta/ => /vagrant ==> vanilla-f36-beta: Mounting SSHFS shared folder... ==> vanilla-f36-beta: Mounting folder via SSHFS: /var/b/shared => /var/b/shared ==> vanilla-f36-beta: Checking Mount.. ==> vanilla-f36-beta: Folder Successfully Mounted! [dustymabe@media f36beta]$ [dustymabe@media f36beta]$ vagrant ssh [vagrant@vanilla-f36-beta ~]$ journalctl | grep denied Hint: You are currently not seeing messages from other users and the system. Users in groups 'adm', 'systemd-journal', 'wheel' can see all messages. Pass -q to turn off this notice. [vagrant@vanilla-f36-beta ~]$ sudo journalctl | grep denied Mar 30 16:04:50 fedora nm-dispatcher[703]: req:1 'hostname': find-scripts: Failed to open dispatcher directory '/etc/NetworkManager/dispatcher.d': Error opening directory “/etc/NetworkManager/dispatcher.d”: Permission denied Mar 30 16:04:50 fedora nm-dispatcher[703]: req:2 'connectivity-change': find-scripts: Failed to open dispatcher directory '/etc/NetworkManager/dispatcher.d': Error opening directory “/etc/NetworkManager/dispatcher.d”: Permission denied Mar 30 16:04:53 fedora nm-dispatcher[703]: req:3 'dhcp4-change' [eth0]: find-scripts: Failed to open dispatcher directory '/etc/NetworkManager/dispatcher.d': Error opening directory “/etc/NetworkManager/dispatcher.d”: Permission denied Mar 30 16:04:53 fedora nm-dispatcher[703]: req:4 'pre-up' [eth0]: find-scripts: Failed to open dispatcher directory '/etc/NetworkManager/dispatcher.d/pre-up.d': Error opening directory “/etc/NetworkManager/dispatcher.d/pre-up.d”: Permission denied Mar 30 16:04:53 fedora nm-dispatcher[703]: req:5 'up' [eth0]: find-scripts: Failed to open dispatcher directory '/etc/NetworkManager/dispatcher.d': Error opening directory “/etc/NetworkManager/dispatcher.d”: Permission denied Mar 30 16:04:53 fedora nm-dispatcher[703]: req:6 'connectivity-change': find-scripts: Failed to open dispatcher directory '/etc/NetworkManager/dispatcher.d': Error opening directory “/etc/NetworkManager/dispatcher.d”: Permission denied Mar 30 16:04:58 vanilla-f36-beta nm-dispatcher[703]: req:7 'connectivity-change': find-scripts: Failed to open dispatcher directory '/etc/NetworkManager/dispatcher.d': Error opening directory “/etc/NetworkManager/dispatcher.d”: Permission denied Mar 30 16:04:58 vanilla-f36-beta nm-dispatcher[703]: req:8 'hostname': find-scripts: Failed to open dispatcher directory '/etc/NetworkManager/dispatcher.d': Error opening directory “/etc/NetworkManager/dispatcher.d”: Permission denied Mar 30 16:04:58 vanilla-f36-beta nm-dispatcher[703]: req:9 'connectivity-change': find-scripts: Failed to open dispatcher directory '/etc/NetworkManager/dispatcher.d': Error opening directory “/etc/NetworkManager/dispatcher.d”: Permission denied Mar 30 16:04:58 vanilla-f36-beta nm-dispatcher[703]: req:10 'dhcp4-change' [eth0]: find-scripts: Failed to open dispatcher directory '/etc/NetworkManager/dispatcher.d': Error opening directory “/etc/NetworkManager/dispatcher.d”: Permission denied Mar 30 16:04:58 vanilla-f36-beta nm-dispatcher[703]: req:11 'pre-up' [eth0]: find-scripts: Failed to open dispatcher directory '/etc/NetworkManager/dispatcher.d/pre-up.d': Error opening directory “/etc/NetworkManager/dispatcher.d/pre-up.d”: Permission denied Mar 30 16:04:58 vanilla-f36-beta nm-dispatcher[703]: req:12 'up' [eth0]: find-scripts: Failed to open dispatcher directory '/etc/NetworkManager/dispatcher.d': Error opening directory “/etc/NetworkManager/dispatcher.d”: Permission denied Mar 30 16:04:58 vanilla-f36-beta nm-dispatcher[703]: req:13 'connectivity-change': find-scripts: Failed to open dispatcher directory '/etc/NetworkManager/dispatcher.d': Error opening directory “/etc/NetworkManager/dispatcher.d”: Permission denied ```
Hey Zdenek, does my previous comment clearly illustrate the failure? Anything else I can do to explain? Maybe we can screen share?
(In reply to Dusty Mabe from comment #6) > Hey Zdenek, does my previous comment clearly illustrate the failure? > Anything else I can do to explain? Maybe we can screen share? I believe the latest build addresses these problems. What I still miss is a simple reproducer for each plugin usage, but as long as all plugins work now, I may not need it much.