211065 – connecting using dialup connection cannot update /etc/resolve.conf

Bug 211065 - connecting using dialup connection cannot update /etc/resolve.conf

Summary: connecting using dialup connection cannot update /etc/resolve.conf

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-10-17 03:50 UTC by Brian G. Anderson
Modified:	2018-04-11 19:36 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-03-20 15:56:24 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Brian G. Anderson 2006-10-17 03:50:04 UTC

Description of problem:
when I use the NM applet to connect a dialup connecition I get the following
message in /var/log/messages: 

Oct 16 20:31:31 porco kernel: audit(1161055891.481:36): avc:  denied  { write } 
for  pid=5934 comm="pppd" name="resolv.conf" dev=dm-0 ino=10542765 scontext=syst
em_u:system_r:pppd_t:s0 tcontext=user_u:object_r:pppd_etc_t:s0 tclass=file
Oct 16 20:31:31 porco NET[6003]: /etc/sysconfig/network-scripts/ifup-post : upda
ted /etc/resolv.conf

I do not get this if I bring the connection up using ifup.

The end result is that sometimes /etc/resolve.conf will not be updated properly.
 It looks like, instead of updating /etc/resolve/conf with the new dns server
info, it updates it with the last successful connection dns info.  So sometimes
all host resolution doesn't work.

Version-Release number of selected component (if applicable):
NetworkManager-0.6.4-5.fc6
NetworkManager-gnome-0.6.4-5.fc6
NetworkManager-vpnc-0.7.0-0.cvs20060929.2.fc6
NetworkManager-openvpn-0.3.2-7.fc6
NetworkManager-glib-0.6.4-5.fc6



How reproducible:
the avc failure occurs always when using NM to connect

Steps to Reproduce:
1. create a dailup configuration; mine was through a bluetooth modem
2. use NM to connect to dialup
3.
  
Actual results:
avc denied message; with /etc/resolve.conf not always being update correctly.

Expected results:
no error

Additional info:

Comment 1 Nicola Soranzo 2007-02-15 23:44:04 UTC

I have the same problem, but I have more SELinux denials like:
- SELinux is preventing the ppp daemon from inserting kernel modules. (3 times)
- SELinux is preventing /usr/sbin/pppd (pppd_t) "write" access to resolv.conf
(pppd_etc_t).
- SELinux is preventing /bin/bash (NetworkManager_t) "read" access to ppp
(pppd_etc_t). (2 times)
- SELinux is preventing /bin/bash (NetworkManager_t) "search" access to ppp
(pppd_etc_t).

Comment 2 Daniel Walsh 2007-03-09 16:19:02 UTC

The problem here is that resolv.conf has the wrong label on it?  Is this
/etc/resolv.conf or something somewhere else?

resolv.conf should be labeled net_conf_t?

Comment 3 Daniel Walsh 2007-03-09 16:19:51 UTC

restorecon /etc/resolv.conf should fix.  You can also run restorecond to
maintain the file context on this file.

service restorecond start.

Note You need to log in before you can comment on or make changes to this bug.