Bug 211065 - connecting using dialup connection cannot update /etc/resolve.conf
connecting using dialup connection cannot update /etc/resolve.conf
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2006-10-16 23:50 EDT by Brian G. Anderson
Modified: 2007-11-30 17:11 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-03-20 11:56:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Brian G. Anderson 2006-10-16 23:50:04 EDT
Description of problem:
when I use the NM applet to connect a dialup connecition I get the following
message in /var/log/messages: 

Oct 16 20:31:31 porco kernel: audit(1161055891.481:36): avc:  denied  { write } 
for  pid=5934 comm="pppd" name="resolv.conf" dev=dm-0 ino=10542765 scontext=syst
em_u:system_r:pppd_t:s0 tcontext=user_u:object_r:pppd_etc_t:s0 tclass=file
Oct 16 20:31:31 porco NET[6003]: /etc/sysconfig/network-scripts/ifup-post : upda
ted /etc/resolv.conf

I do not get this if I bring the connection up using ifup.

The end result is that sometimes /etc/resolve.conf will not be updated properly.
 It looks like, instead of updating /etc/resolve/conf with the new dns server
info, it updates it with the last successful connection dns info.  So sometimes
all host resolution doesn't work.

Version-Release number of selected component (if applicable):

How reproducible:
the avc failure occurs always when using NM to connect

Steps to Reproduce:
1. create a dailup configuration; mine was through a bluetooth modem
2. use NM to connect to dialup
Actual results:
avc denied message; with /etc/resolve.conf not always being update correctly.

Expected results:
no error

Additional info:
Comment 1 Nicola Soranzo 2007-02-15 18:44:04 EST
I have the same problem, but I have more SELinux denials like:
- SELinux is preventing the ppp daemon from inserting kernel modules. (3 times)
- SELinux is preventing /usr/sbin/pppd (pppd_t) "write" access to resolv.conf
- SELinux is preventing /bin/bash (NetworkManager_t) "read" access to ppp
(pppd_etc_t). (2 times)
- SELinux is preventing /bin/bash (NetworkManager_t) "search" access to ppp
Comment 2 Daniel Walsh 2007-03-09 11:19:02 EST
The problem here is that resolv.conf has the wrong label on it?  Is this
/etc/resolv.conf or something somewhere else?

resolv.conf should be labeled net_conf_t?
Comment 3 Daniel Walsh 2007-03-09 11:19:51 EST
restorecon /etc/resolv.conf should fix.  You can also run restorecond to
maintain the file context on this file.

service restorecond start.

Note You need to log in before you can comment on or make changes to this bug.