Bug 2093556 - SELinux is preventing unbound-anchor from 'read' accesses on the file no-stub-resolv.conf.
Summary: SELinux is preventing unbound-anchor from 'read' accesses on the file no-stub...
Keywords:
Status: CLOSED DUPLICATE of bug 2091275
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 36
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:30aea9aefa226859263ee739590...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-06-04 12:11 UTC by Sam Varshavchik
Modified: 2022-09-12 15:09 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-09-12 15:09:41 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Sam Varshavchik 2022-06-04 12:11:54 UTC 
Description of problem:
After removing systemd-resolved, /etc/resolv.conf was repointed to ../run/NetworkManager/no-stub-resolv.conf

These AVCs happen occasionally when the system suspends and resumes.
SELinux is preventing unbound-anchor from 'read' accesses on the file no-stub-resolv.conf.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that unbound-anchor should be allowed read access on the no-stub-resolv.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'unbound-anchor' --raw | audit2allow -M my-unboundanchor
# semodule -X 300 -i my-unboundanchor.pp

Additional Information:
Source Context                system_u:system_r:named_t:s0
Target Context                system_u:object_r:NetworkManager_var_run_t:s0
Target Objects                no-stub-resolv.conf [ file ]
Source                        unbound-anchor
Source Path                   unbound-anchor
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-36.8-2.fc36.noarch
Local Policy RPM              selinux-policy-targeted-36.8-2.fc36.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.17.9-300.fc36.x86_64 #1 SMP
                              PREEMPT Wed May 18 15:08:23 UTC 2022 x86_64 x86_64
Alert Count                   1
First Seen                    2022-06-04 08:09:40 EDT
Last Seen                     2022-06-04 08:09:40 EDT
Local ID                      eaba81ba-2496-4748-a9f9-628d18e07b49

Raw Audit Messages
type=AVC msg=audit(1654344580.610:499): avc:  denied  { read } for  pid=11027 comm="unbound-anchor" name="no-stub-resolv.conf" dev="tmpfs" ino=2078 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=file permissive=0


Hash: unbound-anchor,named_t,NetworkManager_var_run_t,file,read

Version-Release number of selected component:
selinux-policy-targeted-36.8-2.fc36.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.17.1
hashmarkername: setroubleshoot
kernel:         5.17.9-300.fc36.x86_64
type:           libreport
Comment 1 Zdenek Pytela 2022-09-12 15:09:41 UTC 

*** This bug has been marked as a duplicate of bug 2091275 ***
Note You need to log in before you can comment on or make changes to this bug.