Bug 708701 - SELinux is preventing /usr/sbin/dnsmasq from read access on the file nm-dns-dnsmasq.conf.
Summary: SELinux is preventing /usr/sbin/dnsmasq from read access on the file nm-dns-d...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 15
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-05-28 22:07 UTC by simon
Modified: 2011-07-26 06:11 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-07-26 06:11:22 UTC
Type: ---

Attachments (Terms of Use)
details output (2.34 KB, text/plain)
2011-05-28 22:07 UTC, simon 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Description simon 2011-05-28 22:07:59 UTC 
Created attachment 501530 [details]
details output

Description of problem:
SELinux is preventing /usr/sbin/dnsmasq from read access on the file nm-dns-dnsmasq.conf.

I'm getting this issue on F15 after adding "dns=dnsmasq" to
/etc/NetworkManager/NetworkManager.conf

Seems to be creating this file in /var/run/

Version-Release number of selected component (if applicable):
selinux-policy-3.9.16-24.fc15.noarch

How reproducible:

Steps to Reproduce:
1. Install dnsmasq
2. Add "dns=dnsmasq" to /etc/NetworkManager/NetworkManager.conf
3. Restart NM
  
Actual results:
Selinux troubleshoot flags up unexpected read

Expected results:


Additional info:

Running the suggested steps appear to resolve this;

allow this access for now by executing:
# grep dnsmasq /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp 

Orignally reported in bug #682460 as the "report bug" button linked to that issue.
Comment 1 Dominick Grift 2011-05-29 05:29:02 UTC 
This should be fixed here i believe:

https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-26.fc15
Comment 2 Miroslav Grepl 2011-05-29 09:06:08 UTC 
Yes, it should be fixed.
Comment 3 Josh Stone 2011-07-23 19:30:06 UTC 
I'm getting denied-getattr and denied-unlink on nm-dns-dnsmasq.conf using selinux-policy-3.9.16-34.fc15.noarch.  Should this bug be reopened, or filed separately?

I noticed in particular that when the file is first created it has context NetworkManager_var_run_t, but restorecon puts it back to var_run_t.  I see no special rules for this file in semanage fcontext.
Comment 4 Miroslav Grepl 2011-07-25 14:11:47 UTC 
What avc msgs are you getting?
Comment 5 Josh Stone 2011-07-25 16:49:20 UTC 
type=AVC msg=audit(1311446980.946:9756): avc:  denied  { getattr } for  pid=984 comm="NetworkManager" path="/run/nm-dns-dnsmasq.conf" dev=tmpfs ino=215168 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1311446980.946:9757): avc:  denied  { unlink } for  pid=984 comm="NetworkManager" name="nm-dns-dnsmasq.conf" dev=tmpfs ino=215168 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file

I did a chcon back to NetworkManager_var_run_t, and since then it's been fine.
Comment 6 Daniel Walsh 2011-07-25 18:40:00 UTC 
Any idea how it got labeled this?  Were you running any tools at the command line to start the network?
Comment 7 Josh Stone 2011-07-25 19:03:59 UTC 
Hmm, I almost always use nm-applet to manage connections.  However, recently I was tinkering with loading/unloading e1000e for some driver issues I was having, so maybe NM got confused somewhere in that.

I didn't investigate the sealert for a while at first, because the network still seemed to be working, until I noticed that my local hosts weren't resolving anymore while I was on the VPN.  But now dns-dnsmasq is working again, so I guess I'll just watch to see if it happens again...
Comment 8 Miroslav Grepl 2011-07-26 06:11:22 UTC 
ok, could you open the bug if the problem occurs again.
Note You need to log in before you can comment on or make changes to this bug.