Bug 2080043 - NetworkManager dispatcher script unable to write /etc issue due to SELinux
Summary: NetworkManager dispatcher script unable to write /etc issue due to SELinux
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 36
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-04-28 19:42 UTC by Aashish Radhakrishnan
Modified: 2022-09-22 01:17 UTC (History)
12 users (show)

Fixed In Version: selinux-policy-36.13-3.fc36 selinux-policy-36.15-1.fc36
Clone Of:
Environment:
Last Closed: 2022-09-22 01:17:17 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 1271 0 None open Allow nm-dispatcher console plugin setfscreate 2022-07-08 07:47:09 UTC
Github fedora-selinux selinux-policy pull 1385 0 None Merged F36 nm disp console 2022-09-12 14:25:46 UTC

Description Aashish Radhakrishnan 2022-04-28 19:42:40 UTC 
Description of problem:
The NetworkManager dispatcher scripts is unable to create files in /etc/issue.d


Version-Release number of selected component (if applicable):
Fedora CoreOS version: 36.20220426.10.4
selinux-policy-36.8-1.fc36.noarch


How reproducible:
Always


Steps to Reproduce:
1. Download FCOS QEMU image from  - https://builds.coreos.fedoraproject.org/prod/streams/next-devel/builds/36.20220426.10.4/x86_64/fedora-coreos-36.20220426.10.4-qemu.x86_64.qcow2.xz
2. unxz fedora-coreos-36.20220426.10.4-qemu.x86_64.qcow2.xz
3. Use virt-install or qemu to run the VM :- 
   - https://docs.fedoraproject.org/en-US/fedora-coreos/provisioning-libvirt/
   - https://docs.fedoraproject.org/en-US/fedora-coreos/provisioning-qemu/


Actual results:
The NetworkManager dispatcher script is unable to create files in /etc/issue.d due to SELinux violations.

Expected results:
The NetworkManager dispatcher is able to create the files.


Additional info:
System details
QEMU



Set enforcing=0 on the kernel command line:

[core@localhost ~]$ journalctl -b 0 | grep -i avc
Apr 28 20:41:33 localhost.localdomain audit[1108]: AVC avc:  denied  { search } for  pid=1108 comm="mv" name="contexts" dev="sda4" ino=861790 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=dir permissive=1
Apr 28 20:41:33 localhost.localdomain audit[1108]: AVC avc:  denied  { search } for  pid=1108 comm="mv" name="files" dev="sda4" ino=1076837 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=dir permissive=1
Apr 28 20:41:33 localhost.localdomain audit[1108]: AVC avc:  denied  { read } for  pid=1108 comm="mv" name="file_contexts.subs_dist" dev="sda4" ino=1076844 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1
Apr 28 20:41:33 localhost.localdomain audit[1108]: AVC avc:  denied  { open } for  pid=1108 comm="mv" path="/etc/selinux/targeted/contexts/files/file_contexts.subs_dist" dev="sda4" ino=1076844 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1
Apr 28 20:41:33 localhost.localdomain audit[1108]: AVC avc:  denied  { getattr } for  pid=1108 comm="mv" path="/etc/selinux/targeted/contexts/files/file_contexts.subs_dist" dev="sda4" ino=1076844 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1
Apr 28 20:41:33 localhost.localdomain audit[1108]: AVC avc:  denied  { map } for  pid=1108 comm="mv" path="/etc/selinux/targeted/contexts/files/file_contexts.bin" dev="sda4" ino=1076839 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1
Apr 28 20:41:33 localhost.localdomain audit[1108]: AVC avc:  denied  { read } for  pid=1108 comm="mv" name="perms" dev="selinuxfs" ino=67113331 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir permissive=1
Apr 28 20:41:33 localhost.localdomain audit[1108]: AVC avc:  denied  { write } for  pid=1108 comm="mv" name="create" dev="selinuxfs" ino=7 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1
Apr 28 20:41:33 localhost.localdomain audit[1108]: AVC avc:  denied  { compute_create } for  pid=1108 comm="mv" scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security permissive=1
Apr 28 20:41:33 localhost.localdomain audit[1108]: AVC avc:  denied  { setfscreate } for  pid=1108 comm="mv" scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=process permissive=1
Apr 28 20:41:33 localhost.localdomain audit[1108]: AVC avc:  denied  { write } for  pid=1108 comm="mv" name="issue.d" dev="sda4" ino=28311919 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
Apr 28 20:41:33 localhost.localdomain audit[1108]: AVC avc:  denied  { add_name } for  pid=1108 comm="mv" name="22_clhm_ens2.issue" scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
Apr 28 20:41:33 localhost.localdomain audit[1108]: AVC avc:  denied  { create } for  pid=1108 comm="mv" name="22_clhm_ens2.issue" scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
Apr 28 20:41:33 localhost.localdomain audit[1108]: AVC avc:  denied  { write } for  pid=1108 comm="mv" path="/etc/issue.d/22_clhm_ens2.issue" dev="sda4" ino=28311989 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
Apr 28 20:41:33 localhost.localdomain audit[1108]: AVC avc:  denied  { setattr } for  pid=1108 comm="mv" name="22_clhm_ens2.issue" dev="sda4" ino=28311989 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1


There are more denials in the link - https://github.com/coreos/fedora-coreos-tracker/issues/1153#issuecomment-1110197775
Comment 1 Dusty Mabe 2022-04-29 02:06:16 UTC 
Note that this is a followup to the previous bug (https://bugzilla.redhat.com/show_bug.cgi?id=2065940). Once that one got fixed we could see there was another problem.

In this case there are a few pieces:

- an NM dispatcher script
    - https://github.com/coreos/console-login-helper-messages/blob/main/etc/NetworkManager/dispatcher.d/90-console-login-helper-messages-gensnippet_if

- that calls a bash script 
    - https://github.com/coreos/console-login-helper-messages/blob/main/usr/libexec/console-login-helper-messages/gensnippet_if

that creates some files in /etc/issue.d/ to be shown on the console.
Comment 2 Dusty Mabe 2022-04-29 13:18:30 UTC 
I think this is probably a plea from us to ask for help developing proper SELinux contexts to set for the dispatcher we wrote (now that they are confined). 

Zdenek, what's the best way to go about doing that?
Comment 3 Travis Suel 2022-05-16 23:27:43 UTC 
I'm having a similar issue with SELinux blocking my dispatcher script, although its function is different. I wasn't sure if I should make a new bug or now, so I erred on the side of not creating duplicates. But, if I should make a new bug, please let me know.

My script is unable to modify firewalld rules or access network interfaces. When connecting to a Wireguard VPN, the script sets up rules to ensure traffic only travels over the VPN (i.e., a killswitch, but using the firewall). It uses the wg command (in a readonly fashion) to get relevant information about the VPN connection as well as firewall-cmd to then set the rules. Both aspects are blocked by SELinux.

I can overcome the firewalld issue using audit2allow and semodule to modify my local SELinux policy, but access to the network interface is still denied and further attempts to use audit2allow result in "Nothing to do." But, if I set SELinux to permissive, everything works as expected. I've even gone so far as just blanking out audit.log (e.g., '> /var/log/audit/audit.log'), setting SELinux to permissive, performing the connection, and then just dumping all of audit.log into audit2allow to make sure I'm not missing anything by grepping audit.log, but the dispatcher is still denied access to the network interface when setting SELinux back to enforcing.

Would SELinux booleans be a feasible approach to make certain common dispatcher use cases relatively painless to enable? I know hardly anything about implementing SELinux contexts or booleans, so I'm not sure how practical such an idea is, but something along the lines of:

NM_dispatcher_can_modify_firewall_rules
NM_dispatcher_can_read_network_state
NM_dispatcher_can_alter_network_state
NM_dispatcher_can_write_configs

Enumerating all the "common" use cases might be difficult and/or contentious.
Comment 4 Zdenek Pytela 2022-05-19 17:33:10 UTC 
The current state is that all plugins have a private SELinux type and their own policy, unknown plugins are executed in permissive mode which probably is not the final solution.

The latest selinux-policy update is expected to fix most of the known problems, this one remains as an exception.
Comment 5 Dusty Mabe 2022-07-07 21:50:23 UTC 
OK. I'm testing a development build that includes https://github.com/coreos/console-login-helper-messages/pull/110#pullrequestreview-1032197984

Things still don't 100% work, but with enforcing=0 they do work and this is the only denial in my log:

```
$ journalctl | grep denied
Jul 07 21:46:09 cosa-devsh audit[1556]: AVC avc:  denied  { setfscreate } for  pid=1556 comm="mv" scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=syst
em_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=process permissive=1
```
Comment 6 Dusty Mabe 2022-07-07 21:51:17 UTC 
Zdenek, What are the next steps? Another upstream change in console-login-helper-messages or some change needed in the policy?
Comment 7 Zdenek Pytela 2022-07-08 07:47:10 UTC 
(In reply to Dusty Mabe from comment #6)
> Zdenek, What are the next steps? Another upstream change in
> console-login-helper-messages or some change needed in the policy?
Dusty,

I've already made the needed policy changes in advance, this one did not pop up, so adding now.

You can try a new scratchbuild here:
https://github.com/fedora-selinux/selinux-policy/pull/1271
Checks -> Details -> Artifacts -> rpms
Comment 8 Dusty Mabe 2022-07-08 13:42:12 UTC 
Ok. With that RPM I still don't get success :(

- First try. It doesn't work. No denials in logs.
- Second try with enforcing=0. It works! Still no denials in the logs.
    - This is the point last time in comment#5 that I found the one setfscreate denial


After that I disabled dontaudit rules (`semodule -DB`). Now when I cycle the connection with `nmcli c down Wired\ connection\ 1` and then `nmcli c up Wired\ connection\ 1` I see this:

```
# journalctl -b0 --since='1 minutes ago' | grep denied
Jul 08 13:39:42 cosa-devsh audit[1243]: AVC avc:  denied  { noatsecure } for  pid=1243 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tclass=process permissive=1
Jul 08 13:39:42 cosa-devsh audit[1243]: AVC avc:  denied  { read write } for  pid=1243 comm="90-nm-cloud-set" path="socket:[21007]" dev="sockfs" ino=21007 scontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=1
Jul 08 13:39:42 cosa-devsh kernel: audit: type=1400 audit(1657287582.964:285): avc:  denied  { noatsecure } for  pid=1243 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tclass=process permissive=1
Jul 08 13:39:42 cosa-devsh kernel: audit: type=1400 audit(1657287582.964:285): avc:  denied  { read write } for  pid=1243 comm="90-nm-cloud-set" path="socket:[21007]" dev="sockfs" ino=21007 scontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permiss1
Jul 08 13:39:42 cosa-devsh audit[1243]: AVC avc:  denied  { rlimitinh } for  pid=1243 comm="90-nm-cloud-set" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tclass=process permissive=1
Jul 08 13:39:42 cosa-devsh kernel: audit: type=1400 audit(1657287582.964:285): avc:  denied  { rlimitinh } for  pid=1243 comm="90-nm-cloud-set" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tclass=process permissive=1
Jul 08 13:39:42 cosa-devsh kernel: audit: type=1400 audit(1657287582.964:285): avc:  denied  { siginh } for  pid=1243 comm="90-nm-cloud-set" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tclass=process permissive=1
Jul 08 13:39:42 cosa-devsh audit[1243]: AVC avc:  denied  { siginh } for  pid=1243 comm="90-nm-cloud-set" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tclass=process permissive=1
Jul 08 13:39:42 cosa-devsh audit[1244]: AVC avc:  denied  { read write } for  pid=1244 comm="04-iscsi" path="socket:[21007]" dev="sockfs" ino=21007 scontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=1
Jul 08 13:39:42 cosa-devsh audit[1245]: AVC avc:  denied  { noatsecure } for  pid=1245 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=1
Jul 08 13:39:42 cosa-devsh audit[1245]: AVC avc:  denied  { read write } for  pid=1245 comm="20-chrony-dhcp" path="socket:[21007]" dev="sockfs" ino=21007 scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=1
Jul 08 13:39:42 cosa-devsh audit[1245]: AVC avc:  denied  { rlimitinh } for  pid=1245 comm="20-chrony-dhcp" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=1
Jul 08 13:39:42 cosa-devsh audit[1245]: AVC avc:  denied  { siginh } for  pid=1245 comm="20-chrony-dhcp" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=1
Jul 08 13:39:43 cosa-devsh audit[1248]: AVC avc:  denied  { noatsecure } for  pid=1248 comm="20-chrony-onoff" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=1
Jul 08 13:39:43 cosa-devsh audit[1248]: AVC avc:  denied  { rlimitinh } for  pid=1248 comm="chronyc" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=1
Jul 08 13:39:43 cosa-devsh audit[1248]: AVC avc:  denied  { siginh } for  pid=1248 comm="chronyc" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=1
Jul 08 13:39:43 cosa-devsh audit[1249]: AVC avc:  denied  { noatsecure } for  pid=1249 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=process permissive=1
Jul 08 13:39:43 cosa-devsh audit[1249]: AVC avc:  denied  { rlimitinh } for  pid=1249 comm="90-console-logi" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=process permissive=1
Jul 08 13:39:43 cosa-devsh audit[1249]: AVC avc:  denied  { siginh } for  pid=1249 comm="90-console-logi" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=process permissive=1
Jul 08 13:39:43 cosa-devsh audit[1249]: AVC avc:  denied  { search } for  pid=1249 comm="90-console-logi" name="NetworkManager" dev="vda4" ino=694722 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:object_r:NetworkManager_etc_t:s0 tclass=dir permissive=1
Jul 08 13:39:43 cosa-devsh audit[1250]: AVC avc:  denied  { read write } for  pid=1250 comm="90-nm-cloud-set" path="socket:[21007]" dev="sockfs" ino=21007 scontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=1
Jul 08 13:39:43 cosa-devsh audit[1252]: AVC avc:  denied  { read write } for  pid=1252 comm="04-iscsi" path="socket:[21007]" dev="sockfs" ino=21007 scontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=1
Jul 08 13:39:43 cosa-devsh audit[1253]: AVC avc:  denied  { read write } for  pid=1253 comm="20-chrony-dhcp" path="socket:[21007]" dev="sockfs" ino=21007 scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=1
Jul 08 13:39:43 cosa-devsh audit[1257]: AVC avc:  denied  { read write } for  pid=1257 comm="90-console-logi" path="socket:[21007]" dev="sockfs" ino=21007 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=1
Jul 08 13:39:43 cosa-devsh audit[1261]: AVC avc:  denied  { remove_name } for  pid=1261 comm="rm" name="22_clhm_ens6.issue" dev="vda4" ino=1388266 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
Jul 08 13:39:43 cosa-devsh audit[1261]: AVC avc:  denied  { unlink } for  pid=1261 comm="rm" name="22_clhm_ens6.issue" dev="vda4" ino=1388266 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
Jul 08 13:39:43 cosa-devsh audit[1262]: AVC avc:  denied  { noatsecure } for  pid=1262 comm="gensnippet_if" scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:getty_t:s0 tclass=process permissive=1
Jul 08 13:39:43 cosa-devsh audit[1262]: AVC avc:  denied  { rlimitinh } for  pid=1262 comm="agetty" scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:getty_t:s0 tclass=process permissive=1
Jul 08 13:39:43 cosa-devsh audit[1262]: AVC avc:  denied  { siginh } for  pid=1262 comm="agetty" scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:getty_t:s0 tclass=process permissive=1
Jul 08 13:39:43 localhost.localdomain audit[1263]: AVC avc:  denied  { noatsecure } for  pid=1263 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tclass=process permissive=1
Jul 08 13:39:43 localhost.localdomain audit[1263]: AVC avc:  denied  { rlimitinh } for  pid=1263 comm="90-nm-cloud-set" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tclass=process permissive=1
Jul 08 13:39:43 localhost.localdomain audit[1263]: AVC avc:  denied  { siginh } for  pid=1263 comm="90-nm-cloud-set" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tclass=process permissive=1
Jul 08 13:39:43 localhost.localdomain audit[1264]: AVC avc:  denied  { noatsecure } for  pid=1264 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tclass=process permissive=1
Jul 08 13:39:43 localhost.localdomain audit[1264]: AVC avc:  denied  { rlimitinh } for  pid=1264 comm="04-iscsi" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tclass=process permissive=1
Jul 08 13:39:43 localhost.localdomain audit[1264]: AVC avc:  denied  { siginh } for  pid=1264 comm="04-iscsi" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tclass=process permissive=1
Jul 08 13:39:43 localhost.localdomain audit[1265]: AVC avc:  denied  { noatsecure } for  pid=1265 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=1
Jul 08 13:39:43 localhost.localdomain audit[1265]: AVC avc:  denied  { rlimitinh } for  pid=1265 comm="20-chrony-dhcp" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=1
Jul 08 13:39:43 localhost.localdomain audit[1265]: AVC avc:  denied  { siginh } for  pid=1265 comm="20-chrony-dhcp" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=1
Jul 08 13:39:43 localhost.localdomain audit[1268]: AVC avc:  denied  { noatsecure } for  pid=1268 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=process permissive=1
Jul 08 13:39:43 localhost.localdomain audit[1268]: AVC avc:  denied  { rlimitinh } for  pid=1268 comm="90-console-logi" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=process permissive=1
Jul 08 13:39:43 localhost.localdomain audit[1268]: AVC avc:  denied  { siginh } for  pid=1268 comm="90-console-logi" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=process permissive=1
Jul 08 13:39:47 cosa-devsh audit[1274]: AVC avc:  denied  { net_admin } for  pid=1274 comm="systemctl" capability=12  scontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tclass=capability permissive=1
Jul 08 13:39:47 cosa-devsh audit[1283]: AVC avc:  denied  { noatsecure } for  pid=1283 comm="20-chrony-dhcp" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=1
Jul 08 13:39:47 cosa-devsh audit[1283]: AVC avc:  denied  { rlimitinh } for  pid=1283 comm="chronyc" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=1
Jul 08 13:39:47 cosa-devsh audit[1283]: AVC avc:  denied  { siginh } for  pid=1283 comm="chronyc" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=1
Jul 08 13:39:47 cosa-devsh audit[1292]: AVC avc:  denied  { net_admin } for  pid=1292 comm="systemctl" capability=12  scontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tclass=capability permissive=1
Jul 08 13:39:47 cosa-devsh audit[1309]: AVC avc:  denied  { noatsecure } for  pid=1309 comm="gensnippet_if" scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=process permissive=1
Jul 08 13:39:47 cosa-devsh audit[1309]: AVC avc:  denied  { rlimitinh } for  pid=1309 comm="restorecon" scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=process permissive=1
Jul 08 13:39:47 cosa-devsh audit[1309]: AVC avc:  denied  { siginh } for  pid=1309 comm="restorecon" scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=process permissive=1
Jul 08 13:39:47 cosa-devsh audit[1310]: AVC avc:  denied  { noatsecure } for  pid=1310 comm="gensnippet_if" scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:getty_t:s0 tclass=process permissive=1
Jul 08 13:39:47 cosa-devsh audit[1310]: AVC avc:  denied  { rlimitinh } for  pid=1310 comm="agetty" scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:getty_t:s0 tclass=process permissive=1
Jul 08 13:39:47 cosa-devsh audit[1310]: AVC avc:  denied  { siginh } for  pid=1310 comm="agetty" scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:getty_t:s0 tclass=process permissive=1

```

I'm sure there is a bunch of stuff in there that doesn't matter (i.e. they are dontaudit for a reason), but one of them is causing this to still not work.
Comment 9 Zdenek Pytela 2022-07-08 14:31:22 UTC 
I see these two:
Jul 08 13:39:43 cosa-devsh audit[1249]: AVC avc:  denied  { search } for  pid=1249 comm="90-console-logi" name="NetworkManager" dev="vda4" ino=694722 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:object_r:NetworkManager_etc_t:s0 tclass=dir permissive=1

Jul 08 13:39:43 cosa-devsh audit[1261]: AVC avc:  denied  { remove_name } for  pid=1261 comm="rm" name="22_clhm_ens6.issue" dev="vda4" ino=1388266 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
Jul 08 13:39:43 cosa-devsh audit[1261]: AVC avc:  denied  { unlink } for  pid=1261 comm="rm" name="22_clhm_ens6.issue" dev="vda4" ino=1388266 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1

The former one is clear, the latter a bit troublesome, but I currently can't see any other way out.

Please try the new build once it is created.
Comment 10 Dusty Mabe 2022-07-08 14:47:43 UTC 
Maybe the latter is related to https://github.com/coreos/console-login-helper-messages/blob/8b8ab20551a5a54216963bc858e9ca5c007ea738/usr/libexec/console-login-helper-messages/gensnippet_if#L71 which deletes the file when an interface is brought down?
Comment 11 Zdenek Pytela 2022-07-08 14:52:20 UTC 
(In reply to Dusty Mabe from comment #10)
> Maybe the latter is related to
> https://github.com/coreos/console-login-helper-messages/blob/
> 8b8ab20551a5a54216963bc858e9ca5c007ea738/usr/libexec/console-login-helper-
> messages/gensnippet_if#L71 which deletes the file when an interface is
> brought down?

Yes, previously only creating the files was allowed.
Comment 12 Dusty Mabe 2022-07-08 15:09:38 UTC 
With the new changes in https://github.com/fedora-selinux/selinux-policy/pull/1271 it works!
Comment 13 Fedora Update System 2022-07-15 14:42:10 UTC 
FEDORA-2022-320775eb9a has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-320775eb9a
Comment 14 Fedora Update System 2022-07-16 01:12:36 UTC 
FEDORA-2022-320775eb9a has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-320775eb9a`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-320775eb9a

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 15 Fedora Update System 2022-08-04 02:41:39 UTC 
FEDORA-2022-139ec288ca has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-139ec288ca`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-139ec288ca

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 16 Fedora Update System 2022-08-05 01:34:20 UTC 
FEDORA-2022-139ec288ca has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 17 Dusty Mabe 2022-08-17 13:27:26 UTC 
I'm going to re-open this because I'm still seeing some denials (with dontaudit with semodule -DB) when trying to run the CLHM scriptlet. This is with 

```
$ rpm -q console-login-helper-messages selinux-policy-targeted
console-login-helper-messages-0.21.3-1.fc36.noarch
selinux-policy-targeted-36.13-3.fc36.noarch
```

Here are the denails I'm seeing:


```
Aug 17 13:22:08 tutorial audit[1589]: AVC avc:  denied  { siginh } for  pid=1589 comm="20-chrony-dhcp" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0                                                                                                                                                                                                                                                                                                                                                                                  [0/4510]
Aug 17 13:22:08 tutorial audit[1591]: AVC avc:  denied  { noatsecure } for  pid=1591 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0                                                                                                                                                                                                                         
Aug 17 13:22:08 tutorial audit[1591]: AVC avc:  denied  { read write } for  pid=1591 comm="20-chrony-onoff" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0                                                                                                                                                                                    
Aug 17 13:22:08 tutorial audit[1591]: AVC avc:  denied  { read write } for  pid=1591 comm="20-chrony-onoff" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0                                                                                                                                                                                    
Aug 17 13:22:08 tutorial audit[1591]: AVC avc:  denied  { rlimitinh } for  pid=1591 comm="20-chrony-onoff" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0                                                                                                                                                                                                                        
Aug 17 13:22:08 tutorial audit[1591]: AVC avc:  denied  { siginh } for  pid=1591 comm="20-chrony-onoff" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0                                                                                                                                                                                                                           
Aug 17 13:22:08 tutorial audit[1592]: AVC avc:  denied  { noatsecure } for  pid=1592 comm="20-chrony-onoff" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=0                                                                                                                                                                                                                                         
Aug 17 13:22:08 tutorial audit[1592]: AVC avc:  denied  { rlimitinh } for  pid=1592 comm="chronyc" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=0                                                                                                                                                                                                                                                  
Aug 17 13:22:08 tutorial audit[1592]: AVC avc:  denied  { siginh } for  pid=1592 comm="chronyc" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=0                                                                                                                                                                                                                                                     
Aug 17 13:22:08 tutorial audit[1593]: AVC avc:  denied  { noatsecure } for  pid=1593 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tclass=process permissive=0                                                                                                                                                                                                                           
Aug 17 13:22:08 tutorial audit[1593]: AVC avc:  denied  { read write } for  pid=1593 comm="90-nm-cloud-set" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0                                                                                                                                                                                      
Aug 17 13:22:08 tutorial audit[1593]: AVC avc:  denied  { read write } for  pid=1593 comm="90-nm-cloud-set" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0                                                                                                                                                                                      
Aug 17 13:22:08 tutorial audit[1593]: AVC avc:  denied  { rlimitinh } for  pid=1593 comm="90-nm-cloud-set" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tclass=process permissive=0                                                            
Aug 17 13:22:08 tutorial audit[1593]: AVC avc:  denied  { siginh } for  pid=1593 comm="90-nm-cloud-set" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tclass=process permissive=0                                                               
Aug 17 13:22:08 tutorial audit[1594]: AVC avc:  denied  { noatsecure } for  pid=1594 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=process permissive=0                                                                                                                                                                                                                         
Aug 17 13:22:08 tutorial audit[1594]: AVC avc:  denied  { read write } for  pid=1594 comm="90-console-logi" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0                                                                                                                                                                                    
Aug 17 13:22:08 tutorial audit[1594]: AVC avc:  denied  { read write } for  pid=1594 comm="90-console-logi" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0                                                                                                                                                                                    
Aug 17 13:22:08 tutorial audit[1594]: AVC avc:  denied  { rlimitinh } for  pid=1594 comm="90-console-logi" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=process permissive=0                                                                                                                                                                                                                        
Aug 17 13:22:08 tutorial audit[1594]: AVC avc:  denied  { siginh } for  pid=1594 comm="90-console-logi" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=process permissive=0                                                                                                                                                                                                                           
Aug 17 13:22:08 tutorial audit[1594]: AVC avc:  denied  { search } for  pid=1594 comm="90-console-logi" name="NetworkManager" dev="vda4" ino=836748 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:object_r:NetworkManager_etc_t:s0 tclass=dir permissive=0                                                                                                                                                                                          
Aug 17 13:22:08 tutorial audit[1595]: AVC avc:  denied  { noatsecure } for  pid=1595 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tclass=process permissive=0                                                            
Aug 17 13:22:08 tutorial audit[1595]: AVC avc:  denied  { read write } for  pid=1595 comm="04-iscsi" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0        
Aug 17 13:22:08 tutorial audit[1595]: AVC avc:  denied  { read write } for  pid=1595 comm="04-iscsi" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0                              
Aug 17 13:22:08 tutorial audit[1595]: AVC avc:  denied  { rlimitinh } for  pid=1595 comm="04-iscsi" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tclass=process permissive=0                                                                  
Aug 17 13:22:08 tutorial audit[1595]: AVC avc:  denied  { siginh } for  pid=1595 comm="04-iscsi" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tclass=process permissive=0                                                                     
Aug 17 13:22:08 tutorial audit[1596]: AVC avc:  denied  { noatsecure } for  pid=1596 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0                                                           
Aug 17 13:22:08 tutorial audit[1596]: AVC avc:  denied  { read write } for  pid=1596 comm="20-chrony-dhcp" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
Aug 17 13:22:08 tutorial audit[1596]: AVC avc:  denied  { read write } for  pid=1596 comm="20-chrony-dhcp" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
Aug 17 13:22:08 tutorial audit[1596]: AVC avc:  denied  { rlimitinh } for  pid=1596 comm="20-chrony-dhcp" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0                                                           
Aug 17 13:22:08 tutorial audit[1596]: AVC avc:  denied  { siginh } for  pid=1596 comm="20-chrony-dhcp" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0                                                              
Aug 17 13:22:08 tutorial audit[1598]: AVC avc:  denied  { noatsecure } for  pid=1598 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0                                                           
Aug 17 13:22:08 tutorial audit[1598]: AVC avc:  denied  { read write } for  pid=1598 comm="20-chrony-onoff" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
Aug 17 13:22:08 tutorial audit[1598]: AVC avc:  denied  { read write } for  pid=1598 comm="20-chrony-onoff" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
Aug 17 13:22:08 tutorial audit[1598]: AVC avc:  denied  { rlimitinh } for  pid=1598 comm="20-chrony-onoff" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0                                                          
Aug 17 13:22:08 tutorial audit[1598]: AVC avc:  denied  { siginh } for  pid=1598 comm="20-chrony-onoff" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0                                                             
Aug 17 13:22:08 tutorial audit[1599]: AVC avc:  denied  { noatsecure } for  pid=1599 comm="20-chrony-onoff" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=0                                                                           
Aug 17 13:22:08 tutorial audit[1599]: AVC avc:  denied  { rlimitinh } for  pid=1599 comm="chronyc" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=0                                                                                    
Aug 17 13:22:08 tutorial audit[1599]: AVC avc:  denied  { siginh } for  pid=1599 comm="chronyc" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=0                                                                                       
Aug 17 13:22:08 tutorial audit[1600]: AVC avc:  denied  { noatsecure } for  pid=1600 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=process permissive=0                                                           
Aug 17 13:22:08 tutorial audit[1600]: AVC avc:  denied  { read write } for  pid=1600 comm="90-console-logi" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
Aug 17 13:22:08 tutorial audit[1600]: AVC avc:  denied  { read write } for  pid=1600 comm="90-console-logi" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
Aug 17 13:22:08 tutorial audit[1600]: AVC avc:  denied  { rlimitinh } for  pid=1600 comm="90-console-logi" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=process permissive=0                                                          
Aug 17 13:22:08 tutorial audit[1600]: AVC avc:  denied  { siginh } for  pid=1600 comm="90-console-logi" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=process permissive=0                                                             
Aug 17 13:22:08 tutorial audit[1600]: AVC avc:  denied  { search } for  pid=1600 comm="90-console-logi" name="NetworkManager" dev="vda4" ino=836748 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:object_r:NetworkManager_etc_t:s0 tclass=dir permissive=0
Aug 17 13:22:13 tutorial audit[1606]: AVC avc:  denied  { noatsecure } for  pid=1606 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tclass=process permissive=0                                                             
Aug 17 13:22:13 tutorial audit[1606]: AVC avc:  denied  { read write } for  pid=1606 comm="90-nm-cloud-set" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
Aug 17 13:22:13 tutorial audit[1606]: AVC avc:  denied  { read write } for  pid=1606 comm="90-nm-cloud-set" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
Aug 17 13:22:13 tutorial audit[1606]: AVC avc:  denied  { rlimitinh } for  pid=1606 comm="90-nm-cloud-set" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tclass=process permissive=0                                                            
Aug 17 13:22:13 tutorial audit[1606]: AVC avc:  denied  { siginh } for  pid=1606 comm="90-nm-cloud-set" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tclass=process permissive=0                                                               
Aug 17 13:22:13 tutorial audit[1607]: AVC avc:  denied  { net_admin } for  pid=1607 comm="systemctl" capability=12  scontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tclass=capability permissive=0
Aug 17 13:22:13 tutorial audit[1607]: AVC avc:  denied  { net_admin } for  pid=1607 comm="systemctl" capability=12  scontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tclass=capability permissive=0
Aug 17 13:22:13 tutorial audit[1608]: AVC avc:  denied  { noatsecure } for  pid=1608 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tclass=process permissive=0                                                             
Aug 17 13:22:13 tutorial audit[1608]: AVC avc:  denied  { read write } for  pid=1608 comm="90-nm-cloud-set" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
Aug 17 13:22:13 tutorial audit[1608]: AVC avc:  denied  { read write } for  pid=1608 comm="90-nm-cloud-set" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
Aug 17 13:22:13 tutorial audit[1608]: AVC avc:  denied  { rlimitinh } for  pid=1608 comm="90-nm-cloud-set" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tclass=process permissive=0                                                            
Aug 17 13:22:13 tutorial audit[1608]: AVC avc:  denied  { siginh } for  pid=1608 comm="90-nm-cloud-set" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tclass=process permissive=0                                                               
Aug 17 13:22:13 tutorial audit[1609]: AVC avc:  denied  { noatsecure } for  pid=1609 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tclass=process permissive=0                                                             
Aug 17 13:22:13 tutorial audit[1609]: AVC avc:  denied  { read write } for  pid=1609 comm="90-nm-cloud-set" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
Aug 17 13:22:13 tutorial audit[1609]: AVC avc:  denied  { read write } for  pid=1609 comm="90-nm-cloud-set" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
Aug 17 13:22:13 tutorial audit[1609]: AVC avc:  denied  { rlimitinh } for  pid=1609 comm="90-nm-cloud-set" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tclass=process permissive=0                                                            
Aug 17 13:22:13 tutorial audit[1609]: AVC avc:  denied  { siginh } for  pid=1609 comm="90-nm-cloud-set" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tclass=process permissive=0                                                               
Aug 17 13:22:13 tutorial audit[1611]: AVC avc:  denied  { noatsecure } for  pid=1611 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tclass=process permissive=0                                                            
Aug 17 13:22:13 tutorial audit[1611]: AVC avc:  denied  { read write } for  pid=1611 comm="04-iscsi" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
Aug 17 13:22:13 tutorial audit[1611]: AVC avc:  denied  { read write } for  pid=1611 comm="04-iscsi" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
Aug 17 13:22:13 tutorial audit[1611]: AVC avc:  denied  { rlimitinh } for  pid=1611 comm="04-iscsi" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tclass=process permissive=0                                                                  
Aug 17 13:22:13 tutorial audit[1611]: AVC avc:  denied  { siginh } for  pid=1611 comm="04-iscsi" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tclass=process permissive=0                                                                     
Aug 17 13:22:13 tutorial audit[1612]: AVC avc:  denied  { noatsecure } for  pid=1612 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0                                                           
Aug 17 13:22:13 tutorial audit[1612]: AVC avc:  denied  { read write } for  pid=1612 comm="20-chrony-dhcp" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
Aug 17 13:22:13 tutorial audit[1612]: AVC avc:  denied  { read write } for  pid=1612 comm="20-chrony-dhcp" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
Aug 17 13:22:13 tutorial audit[1612]: AVC avc:  denied  { rlimitinh } for  pid=1612 comm="20-chrony-dhcp" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0                                                           
Aug 17 13:22:13 tutorial audit[1612]: AVC avc:  denied  { siginh } for  pid=1612 comm="20-chrony-dhcp" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0                                                              
Aug 17 13:22:13 tutorial audit[1610]: AVC avc:  denied  { net_admin } for  pid=1610 comm="systemctl" capability=12  scontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tclass=capability permissive=0
Aug 17 13:22:13 tutorial audit[1610]: AVC avc:  denied  { net_admin } for  pid=1610 comm="systemctl" capability=12  scontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_cloud_t:s0 tclass=capability permissive=0
Aug 17 13:22:13 tutorial audit[1615]: AVC avc:  denied  { noatsecure } for  pid=1615 comm="20-chrony-dhcp" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=0                                                                            
Aug 17 13:22:13 tutorial audit[1615]: AVC avc:  denied  { rlimitinh } for  pid=1615 comm="chronyc" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=0                                                                                    
Aug 17 13:22:13 tutorial audit[1615]: AVC avc:  denied  { siginh } for  pid=1615 comm="chronyc" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=0                                                                                       
Aug 17 13:22:13 tutorial audit[1616]: AVC avc:  denied  { noatsecure } for  pid=1616 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0                                                           
Aug 17 13:22:13 tutorial audit[1616]: AVC avc:  denied  { read write } for  pid=1616 comm="20-chrony-onoff" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
Aug 17 13:22:13 tutorial audit[1616]: AVC avc:  denied  { read write } for  pid=1616 comm="20-chrony-onoff" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
Aug 17 13:22:13 tutorial audit[1616]: AVC avc:  denied  { rlimitinh } for  pid=1616 comm="20-chrony-onoff" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0                                                          
Aug 17 13:22:13 tutorial audit[1616]: AVC avc:  denied  { siginh } for  pid=1616 comm="20-chrony-onoff" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0                                                             
Aug 17 13:22:13 tutorial audit[1617]: AVC avc:  denied  { noatsecure } for  pid=1617 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=process permissive=0                                                           
Aug 17 13:22:13 tutorial audit[1617]: AVC avc:  denied  { read write } for  pid=1617 comm="90-console-logi" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
Aug 17 13:22:13 tutorial audit[1617]: AVC avc:  denied  { read write } for  pid=1617 comm="90-console-logi" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
Aug 17 13:22:13 tutorial audit[1617]: AVC avc:  denied  { rlimitinh } for  pid=1617 comm="90-console-logi" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=process permissive=0                                                          
Aug 17 13:22:13 tutorial audit[1617]: AVC avc:  denied  { siginh } for  pid=1617 comm="90-console-logi" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=process permissive=0                                                             
Aug 17 13:22:13 tutorial audit[1617]: AVC avc:  denied  { search } for  pid=1617 comm="90-console-logi" name="NetworkManager" dev="vda4" ino=836748 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:object_r:NetworkManager_etc_t:s0 tclass=dir permissive=0
Aug 17 13:22:13 tutorial audit[1618]: AVC avc:  denied  { noatsecure } for  pid=1618 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tclass=process permissive=0                                                            
Aug 17 13:22:13 tutorial audit[1618]: AVC avc:  denied  { read write } for  pid=1618 comm="04-iscsi" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
Aug 17 13:22:13 tutorial audit[1618]: AVC avc:  denied  { read write } for  pid=1618 comm="04-iscsi" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
Aug 17 13:22:13 tutorial audit[1618]: AVC avc:  denied  { rlimitinh } for  pid=1618 comm="04-iscsi" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tclass=process permissive=0                                                                  
Aug 17 13:22:13 tutorial audit[1618]: AVC avc:  denied  { siginh } for  pid=1618 comm="04-iscsi" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tclass=process permissive=0                                                                     
Aug 17 13:22:13 tutorial audit[1619]: AVC avc:  denied  { net_admin } for  pid=1619 comm="systemctl" capability=12  scontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tclass=capability permissive=0
Aug 17 13:22:13 tutorial audit[1619]: AVC avc:  denied  { net_admin } for  pid=1619 comm="systemctl" capability=12  scontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tclass=capability permissive=0
Aug 17 13:22:13 tutorial audit[1620]: AVC avc:  denied  { noatsecure } for  pid=1620 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0                                                           
Aug 17 13:22:13 tutorial audit[1620]: AVC avc:  denied  { read write } for  pid=1620 comm="20-chrony-dhcp" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
Aug 17 13:22:13 tutorial audit[1620]: AVC avc:  denied  { read write } for  pid=1620 comm="20-chrony-dhcp" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
Aug 17 13:22:13 tutorial audit[1620]: AVC avc:  denied  { rlimitinh } for  pid=1620 comm="20-chrony-dhcp" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0                                                           
Aug 17 13:22:13 tutorial audit[1620]: AVC avc:  denied  { siginh } for  pid=1620 comm="20-chrony-dhcp" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0                                                              
Aug 17 13:22:13 tutorial audit[1623]: AVC avc:  denied  { noatsecure } for  pid=1623 comm="20-chrony-dhcp" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=0                                                                            
Aug 17 13:22:13 tutorial audit[1623]: AVC avc:  denied  { rlimitinh } for  pid=1623 comm="chronyc" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=0                                                                                    
Aug 17 13:22:13 tutorial audit[1623]: AVC avc:  denied  { siginh } for  pid=1623 comm="chronyc" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=0                                                                                       
Aug 17 13:22:13 tutorial audit[1624]: AVC avc:  denied  { noatsecure } for  pid=1624 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0                                                           
Aug 17 13:22:13 tutorial audit[1624]: AVC avc:  denied  { read write } for  pid=1624 comm="20-chrony-onoff" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
Aug 17 13:22:13 tutorial audit[1624]: AVC avc:  denied  { read write } for  pid=1624 comm="20-chrony-onoff" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
Aug 17 13:22:13 tutorial audit[1624]: AVC avc:  denied  { rlimitinh } for  pid=1624 comm="20-chrony-onoff" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0                                                          
Aug 17 13:22:13 tutorial audit[1624]: AVC avc:  denied  { siginh } for  pid=1624 comm="20-chrony-onoff" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0                                                             
Aug 17 13:22:13 tutorial audit[1625]: AVC avc:  denied  { noatsecure } for  pid=1625 comm="20-chrony-onoff" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=0                                                                           
Aug 17 13:22:13 tutorial audit[1625]: AVC avc:  denied  { rlimitinh } for  pid=1625 comm="chronyc" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=0                                                                                    
Aug 17 13:22:13 tutorial audit[1625]: AVC avc:  denied  { siginh } for  pid=1625 comm="chronyc" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=0                                                                                       
Aug 17 13:22:13 tutorial audit[1626]: AVC avc:  denied  { noatsecure } for  pid=1626 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=process permissive=0                                                           
Aug 17 13:22:13 tutorial audit[1626]: AVC avc:  denied  { read write } for  pid=1626 comm="90-console-logi" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
Aug 17 13:22:13 tutorial audit[1626]: AVC avc:  denied  { read write } for  pid=1626 comm="90-console-logi" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
Aug 17 13:22:13 tutorial audit[1626]: AVC avc:  denied  { rlimitinh } for  pid=1626 comm="90-console-logi" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=process permissive=0                                                          
Aug 17 13:22:13 tutorial audit[1626]: AVC avc:  denied  { siginh } for  pid=1626 comm="90-console-logi" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=process permissive=0                                                             
Aug 17 13:22:13 tutorial audit[1626]: AVC avc:  denied  { search } for  pid=1626 comm="90-console-logi" name="NetworkManager" dev="vda4" ino=836748 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:object_r:NetworkManager_etc_t:s0 tclass=dir permissive=0
Aug 17 13:22:13 tutorial audit[1627]: AVC avc:  denied  { noatsecure } for  pid=1627 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tclass=process permissive=0                                                            
Aug 17 13:22:13 tutorial audit[1627]: AVC avc:  denied  { read write } for  pid=1627 comm="04-iscsi" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
Aug 17 13:22:13 tutorial audit[1627]: AVC avc:  denied  { read write } for  pid=1627 comm="04-iscsi" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
Aug 17 13:22:13 tutorial audit[1627]: AVC avc:  denied  { rlimitinh } for  pid=1627 comm="04-iscsi" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tclass=process permissive=0                                                                  
Aug 17 13:22:13 tutorial audit[1627]: AVC avc:  denied  { siginh } for  pid=1627 comm="04-iscsi" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tclass=process permissive=0                                                                     
Aug 17 13:22:13 tutorial audit[1628]: AVC avc:  denied  { noatsecure } for  pid=1628 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0                                                           
Aug 17 13:22:13 tutorial audit[1628]: AVC avc:  denied  { read write } for  pid=1628 comm="20-chrony-dhcp" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
Aug 17 13:22:13 tutorial audit[1628]: AVC avc:  denied  { read write } for  pid=1628 comm="20-chrony-dhcp" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
Aug 17 13:22:13 tutorial audit[1628]: AVC avc:  denied  { rlimitinh } for  pid=1628 comm="20-chrony-dhcp" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0                                                           
Aug 17 13:22:13 tutorial audit[1628]: AVC avc:  denied  { siginh } for  pid=1628 comm="20-chrony-dhcp" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0                                                              
Aug 17 13:22:13 tutorial audit[1630]: AVC avc:  denied  { noatsecure } for  pid=1630 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0                                                           
Aug 17 13:22:13 tutorial audit[1630]: AVC avc:  denied  { read write } for  pid=1630 comm="20-chrony-onoff" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
Aug 17 13:22:13 tutorial audit[1630]: AVC avc:  denied  { read write } for  pid=1630 comm="20-chrony-onoff" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
Aug 17 13:22:13 tutorial audit[1630]: AVC avc:  denied  { rlimitinh } for  pid=1630 comm="20-chrony-onoff" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0                                                          
Aug 17 13:22:13 tutorial audit[1630]: AVC avc:  denied  { siginh } for  pid=1630 comm="20-chrony-onoff" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tclass=process permissive=0                                                             
Aug 17 13:22:13 tutorial audit[1631]: AVC avc:  denied  { noatsecure } for  pid=1631 comm="20-chrony-onoff" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=0                                                                           
Aug 17 13:22:13 tutorial audit[1631]: AVC avc:  denied  { rlimitinh } for  pid=1631 comm="chronyc" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=0                                                                                    
Aug 17 13:22:13 tutorial audit[1631]: AVC avc:  denied  { siginh } for  pid=1631 comm="chronyc" scontext=system_u:system_r:NetworkManager_dispatcher_chronyc_t:s0 tcontext=system_u:system_r:chronyc_t:s0 tclass=process permissive=0                                                                                       
Aug 17 13:22:13 tutorial audit[1632]: AVC avc:  denied  { noatsecure } for  pid=1632 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=process permissive=0                                                           
Aug 17 13:22:13 tutorial audit[1632]: AVC avc:  denied  { read write } for  pid=1632 comm="90-console-logi" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
Aug 17 13:22:13 tutorial audit[1632]: AVC avc:  denied  { read write } for  pid=1632 comm="90-console-logi" path="socket:[25382]" dev="sockfs" ino=25382 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
Aug 17 13:22:13 tutorial audit[1632]: AVC avc:  denied  { rlimitinh } for  pid=1632 comm="90-console-logi" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=process permissive=0                                                          
Aug 17 13:22:13 tutorial audit[1632]: AVC avc:  denied  { siginh } for  pid=1632 comm="90-console-logi" scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tclass=process permissive=0                                                             
Aug 17 13:22:13 tutorial audit[1632]: AVC avc:  denied  { search } for  pid=1632 comm="90-console-logi" name="NetworkManager" dev="vda4" ino=836748 scontext=system_u:system_r:NetworkManager_dispatcher_console_t:s0 tcontext=system_u:object_r:NetworkManager_etc_t:s0 tclass=dir permissive=0

```
Comment 18 Colin Walters 2022-08-17 15:00:15 UTC 
It looks like we're running code from a NM dispatcher script; this seems to relate to https://github.com/fedora-selinux/selinux-policy/issues/1258

A workaround here may be to do just systemd-run to spawn an unconfined service from the dispatcher.
Comment 19 Dusty Mabe 2022-08-24 15:11:44 UTC 
Just noticed that I see the expected behavior in Fedora 37 (selinux-policy-37.8-1.fc37.noarch) and Fedora 38/rawhide (selinux-policy-37.9-1.fc38.noarch). Is there a fix in those branches that isn't in F36 (selinux-policy-36.14-1.fc36.noarch) that solves this problem?
Comment 20 Dusty Mabe 2022-08-24 15:28:30 UTC 
In rawhide it seems to have been fixed on this transition:

selinux-policy 37.6-1.fc37.noarch → 37.7-1.fc37.noarch

I think maybe the following commits need to be backported to Fedora 36:

- 816b275 o Allow nm-dispatcher console plugin setfscreate
- e0a4302 o Allow networkmanager_dispatcher_plugin list NetworkManager_etc_t dirs
Comment 21 Zdenek Pytela 2022-09-12 14:25:47 UTC 
(In reply to Dusty Mabe from comment #20)
> In rawhide it seems to have been fixed on this transition:
> 
> selinux-policy 37.6-1.fc37.noarch → 37.7-1.fc37.noarch
> 
> I think maybe the following commits need to be backported to Fedora 36:
> 
> - 816b275 o Allow nm-dispatcher console plugin setfscreate
> - e0a4302 o Allow networkmanager_dispatcher_plugin list NetworkManager_etc_t
> dirs

You are right, other related and containing

    Resolves: rhbz#2080043

were already backported.
Comment 22 Fedora Update System 2022-09-14 16:32:56 UTC 
FEDORA-2022-096f7730be has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-096f7730be
Comment 23 Fedora Update System 2022-09-15 02:21:25 UTC 
FEDORA-2022-096f7730be has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-096f7730be`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-096f7730be

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 24 Fedora Update System 2022-09-22 01:17:17 UTC 
FEDORA-2022-096f7730be has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.