2088944 – SElinux prevent NetworkManager dispatcher script to run

Bug 2088944 - SElinux prevent NetworkManager dispatcher script to run

Summary: SElinux prevent NetworkManager dispatcher script to run

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	36
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-05-21 21:29 UTC by Dario Lesca
Modified:	2022-06-03 03:06 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-36.10-1.fc36
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-06-03 03:06:50 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1205	0	None	open	Add support for nm-dispatcher sendmail scripts	2022-05-25 14:20:42 UTC

Description Dario Lesca 2022-05-21 21:29:22 UTC

After update to Fedora 36 I have a selinux problem with my personal
NetworkManager dispatcher script

Into logs I get this error:

mag 17 12:56:30 dodo.home.solinos.it audit[160270]: AVC avc:  denied  { getattr } for  pid=160270 comm="nm-dispatcher" path="/etc/NetworkManager/dispatcher.d/15-vpn-disp" dev="dm-1" ino=33588281 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:NetworkManager_exec_t:s0 tclass=file permissive=0

But if I try set SElinux permission I get this error:

[lesca@dodo Network]$ sudo chcon system_u:system_r:NetworkManager_dispatcher_t:s0 /etc/NetworkManager/dispatcher.d/15-vpn-disp 
chcon: failed to change context of '/etc/NetworkManager/dispatcher.d/15-vpn-disp' to 'system_u:system_r:NetworkManager_dispatcher_t:s0': Permission denied

Version-Release number of selected component (if applicable):
[lesca@dodo ~]$ rpm -q selinux-policy selinux-policy-targeted NetworkManager
selinux-policy-36.8-2.fc36.noarch
selinux-policy-targeted-36.8-2.fc36.noarch
NetworkManager-1.38.0-1.fc36.x86_64


How reproducible:
Add a script in /etc/NetworkManager/dispatcher.d/ like this:

if [ "$1" = "tun0" -a "$2" = "up" ]
then
        if /sbin/ip route list dev "$1"|grep -q '^10.9.0.' # Specific VPN
        then
                # for any route
                /sbin/ip route list | awk '$1=="default" {$1=""; $2=""; print}'|while read gw
                do
                        # If my home network
                        if [[ "$gw" == *.6.254\ dev\ * ]]
                        then
                                sh -x -c "/sbin/ip route rep 172.16.6.0/24 via $gw; /sbin/ip route rep 10.1.6.0/24 via $gw;"
                        fi
                done

                # DNS Suffix
                sh -x -c "resolvectl domain '$1' extdom1.it extdom2.it"
        fi
fi

The ip and resolve cmd is prevent by selinux with this error:

mag 18 01:44:02 dodo.home.solinos.it audit[209723]: AVC avc:  denied  { execute } for  pid=209723 comm="15-vpn-disp" name="ip" dev="dm-1" ino=372493 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=0
mag 18 01:44:02 dodo.home.solinos.it audit[209723]: AVC avc:  denied  { getattr } for  pid=209723 comm="15-vpn-disp" path="/usr/sbin/ip" dev="dm-1" ino=372493 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=0
mag 18 01:44:02 dodo.home.solinos.it audit[209723]: AVC avc:  denied  { getattr } for  pid=209723 comm="15-vpn-disp" path="/usr/sbin/ip" dev="dm-1" ino=372493 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=0
mag 18 01:44:02 dodo.home.solinos.it nm-dispatcher[209723]: /etc/NetworkManager/dispatcher.d/15-vpn-disp: line 8: /sbin/ip: Permission denied

The only way to allow this execution is run this command:

sudo semanage permissive -a NetworkManager_dispatcher_t

(for undo: sudo semanage permissive -d NetworkManager_dispatcher_t )

Comment 1 Zdenek Pytela 2022-05-23 08:26:25 UTC

Hi Dario,

Please update to the latest selinux-policy:
https://bodhi.fedoraproject.org/updates/FEDORA-2022-148223ef3b

Ensure the labels are correct:
restorecon -Rvn /etc/NetworkManager/dispatcher.d/

If not, relabel:
restorecon -Rv /etc/NetworkManager/dispatcher.d/

Then run your scripts/restart services/reboot and collect denials:
ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today

Comment 2 Dario Lesca 2022-05-23 13:56:11 UTC

I have update all (dnf update), then I have update like suggest (sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-148223ef3b) and reboot.

I open the VPN, my dispatcher script is started and ip and resolvectl command executed property without problem. 

This is ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today output for last transaction (15:41):

-------------------
[lesca@dodo ~]$ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today

type=AVC msg=audit(23/05/2022 15:41:42.924:466) : avc:  denied  { create } for  pid=5923 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1 
----
type=AVC msg=audit(23/05/2022 15:41:42.924:467) : avc:  denied  { setopt } for  pid=5923 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1 
----
type=AVC msg=audit(23/05/2022 15:41:42.924:468) : avc:  denied  { bind } for  pid=5923 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1 
----
type=AVC msg=audit(23/05/2022 15:41:42.924:469) : avc:  denied  { getattr } for  pid=5923 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1 
----
type=AVC msg=audit(23/05/2022 15:41:42.924:470) : avc:  denied  { nlmsg_read } for  pid=5923 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1 
----
type=AVC msg=audit(23/05/2022 15:41:42.927:471) : avc:  denied  { nlmsg_write } for  pid=5929 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1 
----
type=AVC msg=audit(23/05/2022 15:41:42.932:472) : avc:  denied  { write } for  pid=5930 comm=resolvectl name=system_bus_socket dev="tmpfs" ino=2022 scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1 
----
type=AVC msg=audit(23/05/2022 15:41:42.932:473) : avc:  denied  { connectto } for  pid=5930 comm=resolvectl path=/run/dbus/system_bus_socket scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 
----
type=AVC msg=audit(23/05/2022 15:41:42.933:474) : avc:  denied  { create } for  pid=5930 comm=resolvectl scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=unix_dgram_socket permissive=1 
----
type=AVC msg=audit(23/05/2022 15:41:42.933:475) : avc:  denied  { ioctl } for  pid=5930 comm=resolvectl path=socket:[53969] dev="sockfs" ino=53969 ioctlcmd=SIOCGIFINDEX scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=unix_dgram_socket permissive=1 
----
type=USER_AVC msg=audit(23/05/2022 15:41:42.933:476) : pid=1769 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=1  exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' 


I have also run this command:

-------------------
[lesca@dodo ~]$ sudo semanage permissive -l

Builtin Permissive Types 

NetworkManager_dispatcher_custom_t
[lesca@dodo ~]$ sudo semanage permissive -d NetworkManager_dispatcher_custom_t
libsemanage.semanage_direct_remove_key: Unable to remove module permissive_NetworkManager_dispatcher_custom_t at priority 400. (No such file or directory).
FileNotFoundError: [Errno 2] No such file or directory
[lesca@dodo ~]$ sudo semanage permissive -a NetworkManager_dispatcher_custom_t
[lesca@dodo ~]$ sudo semanage permissive -l

Builtin Permissive Types 


Customized Permissive Types

NetworkManager_dispatcher_custom_t
[lesca@dodo ~]$ sudo semanage permissive -d NetworkManager_dispatcher_custom_t
libsemanage.semanage_direct_remove_key: Removing last permissive_NetworkManager_dispatcher_custom_t module (no other permissive_NetworkManager_dispatcher_custom_t module exists at another priority).
[lesca@dodo ~]$ sudo semanage permissive -l

Builtin Permissive Types 

NetworkManager_dispatcher_custom_t
[lesca@dodo ~]$ sudo sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
-------------------

Like you see, there is a "Builtin Permissive Types" (NetworkManager_dispatcher_custom_t) that I can't delete.
Is this a problem?

But now my dispatcher script work great.

If I must try some other test let me know.

Many thanks
Dario

Comment 3 Zdenek Pytela 2022-05-25 14:20:43 UTC

The NetworkManager_dispatcher_custom_t type has been temporarily set to permissive to catch requested permissions, the actions are actually not blocked.

You can try the latest scratchbuild:
https://github.com/fedora-selinux/selinux-policy/pull/1205
Checks -> Details -> Artifacts -> rpms

but note the package version is for rawhide.

Comment 4 Dario Lesca 2022-05-25 19:57:25 UTC

I have update with latest scratchbuild proposed

[lesca@dodo ~]$ sudo dnf update '/tmp/selinux-policy-targeted-37.2-1.20220525_142551.d15ad77.fc37.noarch.rpm' '/tmp/selinux-policy-37.2-1.20220525_142551.d15ad77.fc37.noarch.rpm' 

but none is changed: my dispatcher script work great and there is a "Builtin Permissive Types" (NetworkManager_dispatcher_custom_t) that I can't delete.


[lesca@dodo ~]$ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today

----
type=AVC msg=audit(25/05/2022 00:31:17.946:1009) : avc:  denied  { create } for  pid=188892 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1 
----
type=AVC msg=audit(25/05/2022 00:31:17.946:1010) : avc:  denied  { setopt } for  pid=188892 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1 
----
type=AVC msg=audit(25/05/2022 00:31:17.946:1011) : avc:  denied  { bind } for  pid=188892 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1 
----
type=AVC msg=audit(25/05/2022 00:31:17.946:1012) : avc:  denied  { getattr } for  pid=188892 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1 
----
type=AVC msg=audit(25/05/2022 00:31:17.946:1013) : avc:  denied  { nlmsg_read } for  pid=188892 comm=ip scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=netlink_route_socket permissive=1 
----
type=AVC msg=audit(25/05/2022 21:49:07.812:1315) : avc:  denied  { create } for  pid=335058 comm=resolvectl scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=unix_dgram_socket permissive=1 
----
type=AVC msg=audit(25/05/2022 21:49:07.812:1316) : avc:  denied  { ioctl } for  pid=335058 comm=resolvectl path=socket:[1557535] dev="sockfs" ino=1557535 ioctlcmd=SIOCGIFINDEX scontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tcontext=system_u:system_r:NetworkManager_dispatcher_custom_t:s0 tclass=unix_dgram_socket permissive=1 



[lesca@dodo ~]$ sudo semanage permissive -l

Tipi permissivi incorporati

NetworkManager_dispatcher_custom_t
[lesca@dodo ~]$ sudo semanage permissive -l^C
[lesca@dodo ~]$ sudo semanage permissive -d NetworkManager_dispatcher_custom_t
libsemanage.semanage_direct_remove_key: Unable to remove module permissive_NetworkManager_dispatcher_custom_t at priority 400. (No such file or directory).
FileNotFoundError: [Errno 2] No such file or directory

Now I have downgrade to previous package
[lesca@dodo ~]$ sudo dnf downgrade selinux-policy-targeted selinux-policy --enablerepo=updates-testing

Comment 5 Zdenek Pytela 2022-05-26 13:58:14 UTC

Thank you. The netlink_route_socket and unix_dgram_socket denials will be addressed by the next build.

Comment 6 Fedora Update System 2022-05-30 12:48:12 UTC

FEDORA-2022-a8b9033ed5 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-a8b9033ed5

Comment 7 Fedora Update System 2022-06-01 02:28:36 UTC

FEDORA-2022-a8b9033ed5 has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-a8b9033ed5`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-a8b9033ed5

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 8 Fedora Update System 2022-06-03 03:06:50 UTC

FEDORA-2022-a8b9033ed5 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.