Bug 753521 - restorecon puts the wrong context on nm-dns-dnsmasq.conf
Summary: restorecon puts the wrong context on nm-dns-dnsmasq.conf
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 16
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-11-13 03:59 UTC by Josh Stone
Modified: 2011-11-21 00:00 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.10.0-56.fc16
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-11-21 00:00:56 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Josh Stone 2011-11-13 03:59:37 UTC 
Description of problem:
After updating packages (via PackageKit), I discovered that /var/run/nm-dns-dnsmasq.conf lost its proper selinux context, type NetworkManager_var_run_t.  It was instead reverted to var_run_t, and when NetworkManager next tried to change the network status, it failed to replace that file.

I previously ran into this, reported on bug #708701 comment #5, but didn't know how it got borked at that time.

Unfortunately this time it looks like auditd wasn't running (or even enabled, probably a failing of systemd upgrades).  But I had a systemtap script collecting setxattr calls, and I see during the middle of a yum transaction that restorecon changed this file.  That yum transaction included selinux policies.

Version-Release number of selected component (if applicable):
    Updated     selinux-policy-3.10.0-51.fc16.noarch           ?
    Update                     3.10.0-55.fc16.noarch           @updates
    Updated     selinux-policy-targeted-3.10.0-51.fc16.noarch  ?
    Update                              3.10.0-55.fc16.noarch  @updates

How reproducible:
Unknown

Steps to Reproduce:
1. Set dns=dnsmasq in /etc/NetworkManager/NetworkManager.conf
2. Update selinux-policy*
3. Change network connectivity
  
Actual results:
NM can't write the file, so falls back to simple resolv.conf dns.

Expected results:
NM makes whatever change it needs and keeps resolv.conf pointing to localhost dnsmasq.  So nm-dns-dnsmasq.conf should be NetworkManager_var_run_t.

Additional info:
Running restorecon manually on that file does set var_run_t.  There's a path that does restorecon -R /var/run in the selinux-policy-targeted postinstall, which seems the likely culprit here.
Comment 1 Miroslav Grepl 2011-11-14 11:08:29 UTC 
Fixed in selinux-policy-3.10.0-56.fc16
Comment 2 Fedora Update System 2011-11-16 15:23:04 UTC 
selinux-policy-3.10.0-56.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-56.fc16
Comment 3 Fedora Update System 2011-11-17 23:30:48 UTC 
Package selinux-policy-3.10.0-56.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-56.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-16003/selinux-policy-3.10.0-56.fc16
then log in and leave karma (feedback).
Comment 4 Fedora Update System 2011-11-21 00:00:56 UTC 
selinux-policy-3.10.0-56.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.