After update to Fedora 36 I have a selinux problem with my personal NetworkManager dispatcher script Into logs I get this error: mag 17 12:56:30 dodo.home.solinos.it audit[160270]: AVC avc: denied { getattr } for pid=160270 comm="nm-dispatcher" path="/etc/NetworkManager/dispatcher.d/15-vpn-disp" dev="dm-1" ino=33588281 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:NetworkManager_exec_t:s0 tclass=file permissive=0 But if I try set SElinux permission I get this error: [lesca@dodo Network]$ sudo chcon system_u:system_r:NetworkManager_dispatcher_t:s0 /etc/NetworkManager/dispatcher.d/15-vpn-disp chcon: failed to change context of '/etc/NetworkManager/dispatcher.d/15-vpn-disp' to 'system_u:system_r:NetworkManager_dispatcher_t:s0': Permission denied Version-Release number of selected component (if applicable): [lesca@dodo ~]$ rpm -q selinux-policy selinux-policy-targeted NetworkManager selinux-policy-36.8-2.fc36.noarch selinux-policy-targeted-36.8-2.fc36.noarch NetworkManager-1.38.0-1.fc36.x86_64 How reproducible: Add a script in /etc/NetworkManager/dispatcher.d/ like this: if [ "$1" = "tun0" -a "$2" = "up" ] then if /sbin/ip route list dev "$1"|grep -q '^10.9.0.' # Specific VPN then # for any route /sbin/ip route list | awk '$1=="default" {$1=""; $2=""; print}'|while read gw do # If my home network if [[ "$gw" == *.6.254\ dev\ * ]] then sh -x -c "/sbin/ip route rep 172.16.6.0/24 via $gw; /sbin/ip route rep 10.1.6.0/24 via $gw;" fi done # DNS Suffix sh -x -c "resolvectl domain '$1' extdom1.it extdom2.it" fi fi The ip and resolve cmd is prevent by selinux with this error: mag 18 01:44:02 dodo.home.solinos.it audit[209723]: AVC avc: denied { execute } for pid=209723 comm="15-vpn-disp" name="ip" dev="dm-1" ino=372493 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=0 mag 18 01:44:02 dodo.home.solinos.it audit[209723]: AVC avc: denied { getattr } for pid=209723 comm="15-vpn-disp" path="/usr/sbin/ip" dev="dm-1" ino=372493 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=0 mag 18 01:44:02 dodo.home.solinos.it audit[209723]: AVC avc: denied { getattr } for pid=209723 comm="15-vpn-disp" path="/usr/sbin/ip" dev="dm-1" ino=372493 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=0 mag 18 01:44:02 dodo.home.solinos.it nm-dispatcher[209723]: /etc/NetworkManager/dispatcher.d/15-vpn-disp: line 8: /sbin/ip: Permission denied The only way to allow this execution is run this command: sudo semanage permissive -a NetworkManager_dispatcher_t (for undo: sudo semanage permissive -d NetworkManager_dispatcher_t )
Hi Dario, Please update to the latest selinux-policy: https://bodhi.fedoraproject.org/updates/FEDORA-2022-148223ef3b Ensure the labels are correct: restorecon -Rvn /etc/NetworkManager/dispatcher.d/ If not, relabel: restorecon -Rv /etc/NetworkManager/dispatcher.d/ Then run your scripts/restart services/reboot and collect denials: ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
I have update all (dnf update), then I have update like suggest (sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-148223ef3b) and reboot. I open the VPN, my dispatcher script is started and ip and resolvectl command executed property without problem. This is ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today output for last transaction (15:41): ------------------- [lesca@dodo ~]$ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today type=AVC msg=audit(23/05/2022 15:41:42.924:466) : avc: denied { create } for pid=5923 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1 ---- type=AVC msg=audit(23/05/2022 15:41:42.924:467) : avc: denied { setopt } for pid=5923 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1 ---- type=AVC msg=audit(23/05/2022 15:41:42.924:468) : avc: denied { bind } for pid=5923 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1 ---- type=AVC msg=audit(23/05/2022 15:41:42.924:469) : avc: denied { getattr } for pid=5923 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1 ---- type=AVC msg=audit(23/05/2022 15:41:42.924:470) : avc: denied { nlmsg_read } for pid=5923 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1 ---- type=AVC msg=audit(23/05/2022 15:41:42.927:471) : avc: denied { nlmsg_write } for pid=5929 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1 ---- type=AVC msg=audit(23/05/2022 15:41:42.932:472) : avc: denied { write } for pid=5930 comm=resolvectl name=system_bus_socket dev="tmpfs" ino=2022 scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1 ---- type=AVC msg=audit(23/05/2022 15:41:42.932:473) : avc: denied { connectto } for pid=5930 comm=resolvectl path=/run/dbus/system_bus_socket scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 ---- type=AVC msg=audit(23/05/2022 15:41:42.933:474) : avc: denied { create } for pid=5930 comm=resolvectl scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=unix_dgram_socket permissive=1 ---- type=AVC msg=audit(23/05/2022 15:41:42.933:475) : avc: denied { ioctl } for pid=5930 comm=resolvectl path=socket:[53969] dev="sockfs" ino=53969 ioctlcmd=SIOCGIFINDEX scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=unix_dgram_socket permissive=1 ---- type=USER_AVC msg=audit(23/05/2022 15:41:42.933:476) : pid=1769 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=1 exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' I have also run this command: ------------------- [lesca@dodo ~]$ sudo semanage permissive -l Builtin Permissive Types NetworkManager_dispatcher_custom_t [lesca@dodo ~]$ sudo semanage permissive -d NetworkManager_dispatcher_custom_t libsemanage.semanage_direct_remove_key: Unable to remove module permissive_NetworkManager_dispatcher_custom_t at priority 400. (No such file or directory). FileNotFoundError: [Errno 2] No such file or directory [lesca@dodo ~]$ sudo semanage permissive -a NetworkManager_dispatcher_custom_t [lesca@dodo ~]$ sudo semanage permissive -l Builtin Permissive Types Customized Permissive Types NetworkManager_dispatcher_custom_t [lesca@dodo ~]$ sudo semanage permissive -d NetworkManager_dispatcher_custom_t libsemanage.semanage_direct_remove_key: Removing last permissive_NetworkManager_dispatcher_custom_t module (no other permissive_NetworkManager_dispatcher_custom_t module exists at another priority). [lesca@dodo ~]$ sudo semanage permissive -l Builtin Permissive Types NetworkManager_dispatcher_custom_t [lesca@dodo ~]$ sudo sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 ------------------- Like you see, there is a "Builtin Permissive Types" (NetworkManager_dispatcher_custom_t) that I can't delete. Is this a problem? But now my dispatcher script work great. If I must try some other test let me know. Many thanks Dario
The NetworkManager_dispatcher_custom_t type has been temporarily set to permissive to catch requested permissions, the actions are actually not blocked. You can try the latest scratchbuild: https://github.com/fedora-selinux/selinux-policy/pull/1205 Checks -> Details -> Artifacts -> rpms but note the package version is for rawhide.
I have update with latest scratchbuild proposed [lesca@dodo ~]$ sudo dnf update '/tmp/selinux-policy-targeted-37.2-1.20220525_142551.d15ad77.fc37.noarch.rpm' '/tmp/selinux-policy-37.2-1.20220525_142551.d15ad77.fc37.noarch.rpm' but none is changed: my dispatcher script work great and there is a "Builtin Permissive Types" (NetworkManager_dispatcher_custom_t) that I can't delete. [lesca@dodo ~]$ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today ---- type=AVC msg=audit(25/05/2022 00:31:17.946:1009) : avc: denied { create } for pid=188892 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1 ---- type=AVC msg=audit(25/05/2022 00:31:17.946:1010) : avc: denied { setopt } for pid=188892 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1 ---- type=AVC msg=audit(25/05/2022 00:31:17.946:1011) : avc: denied { bind } for pid=188892 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1 ---- type=AVC msg=audit(25/05/2022 00:31:17.946:1012) : avc: denied { getattr } for pid=188892 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1 ---- type=AVC msg=audit(25/05/2022 00:31:17.946:1013) : avc: denied { nlmsg_read } for pid=188892 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1 ---- type=AVC msg=audit(25/05/2022 21:49:07.812:1315) : avc: denied { create } for pid=335058 comm=resolvectl scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=unix_dgram_socket permissive=1 ---- type=AVC msg=audit(25/05/2022 21:49:07.812:1316) : avc: denied { ioctl } for pid=335058 comm=resolvectl path=socket:[1557535] dev="sockfs" ino=1557535 ioctlcmd=SIOCGIFINDEX scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=unix_dgram_socket permissive=1 [lesca@dodo ~]$ sudo semanage permissive -l Tipi permissivi incorporati NetworkManager_dispatcher_custom_t [lesca@dodo ~]$ sudo semanage permissive -l^C [lesca@dodo ~]$ sudo semanage permissive -d NetworkManager_dispatcher_custom_t libsemanage.semanage_direct_remove_key: Unable to remove module permissive_NetworkManager_dispatcher_custom_t at priority 400. (No such file or directory). FileNotFoundError: [Errno 2] No such file or directory Now I have downgrade to previous package [lesca@dodo ~]$ sudo dnf downgrade selinux-policy-targeted selinux-policy --enablerepo=updates-testing
Thank you. The netlink_route_socket and unix_dgram_socket denials will be addressed by the next build.
FEDORA-2022-a8b9033ed5 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-a8b9033ed5
FEDORA-2022-a8b9033ed5 has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-a8b9033ed5` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-a8b9033ed5 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-a8b9033ed5 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report.