Bug 809250 - SELinux is preventing NetworkManager from 'getattr' accesses on the file /var/run/nm-dns-dnsmasq.conf.
SELinux is preventing NetworkManager from 'getattr' accesses on the file /var...
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
15
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:40dd15b0689...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-02 16:58 EDT by Oron Peled
Modified: 2012-08-07 16:23 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-08-07 16:23:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Oron Peled 2012-04-02 16:58:25 EDT
SELinux is preventing NetworkManager from 'getattr' accesses on the file /var/run/nm-dns-dnsmasq.conf.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that NetworkManager should be allowed getattr access on the nm-dns-dnsmasq.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep NetworkManager /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:var_run_t:s0
Target Objects                /var/run/nm-dns-dnsmasq.conf [ file ]
Source                        NetworkManager
Source Path                   NetworkManager
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-52.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux radon 2.6.42.9-2.fc15.i686.PAE #1 SMP Mon
                              Mar 5 21:03:10 UTC 2012 i686 i686
Alert Count                   2
First Seen                    Mon 02 Apr 2012 01:29:00 PM IDT
Last Seen                     Mon 02 Apr 2012 10:46:08 PM IDT
Local ID                      97fb56f1-0903-4fa3-8580-1c6858928da0

Raw Audit Messages
type=AVC msg=audit(1333395968.271:1713): avc:  denied  { getattr } for  pid=946 comm="NetworkManager" path="/var/run/nm-dns-dnsmasq.conf" dev=tmpfs ino=6364673 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file


Hash: NetworkManager,NetworkManager_t,var_run_t,file,getattr

audit2allow

#============= NetworkManager_t ==============
allow NetworkManager_t var_run_t:file getattr;

audit2allow -R

#============= NetworkManager_t ==============
allow NetworkManager_t var_run_t:file getattr;
Comment 1 Oron Peled 2012-04-02 17:04:28 EDT
This started to occur after configuring NetworkManager to use DNS
caching via dnsmasq. I.e: adding to /etc/NetworkManager/NetworkManager.conf
the 'dns=dnsmasq' line. Here is the its full contents:

  [main]
  plugins=ifcfg-rh
  dns=dnsmasq

These are the NM related files under /var/run:
ls -lZ /var/run/nm-d*
-rw-r--r--. root root system_u:object_r:NetworkManager_var_run_t:s0 /var/run/nm-dhclient-eth0.conf
-rw-------. root root system_u:object_r:var_run_t:s0   /var/run/nm-dns-dnsmasq.conf

restorecon /var/run/nm-dns-dnsmasq.conf does not change its selinux context.

So it seems its context should be changed to NetworkManager_var_run_t (is it correct?)
Comment 2 Oron Peled 2012-04-02 17:06:30 EDT
Forgot to mention that also 'unlink' for the same file is rejected.
Here is the entire message:
SELinux is preventing NetworkManager from unlink access on the file nm-dns-dnsmasq.conf.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that NetworkManager should be allowed unlink access on the nm-dns-dnsmasq.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep NetworkManager /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:var_run_t:s0
Target Objects                nm-dns-dnsmasq.conf [ file ]
Source                        NetworkManager
Source Path                   NetworkManager
Port                          <Unknown>
Host                          radon
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-52.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     radon
Platform                      Linux radon 2.6.42.9-2.fc15.i686.PAE #1 SMP Mon
                              Mar 5 21:03:10 UTC 2012 i686 i686
Alert Count                   10
First Seen                    Sun 01 Apr 2012 09:04:36 AM IDT
Last Seen                     Mon 02 Apr 2012 10:46:08 PM IDT
Local ID                      ee7c09ff-dbfb-41e4-8755-d6917ef02383

Raw Audit Messages
type=AVC msg=audit(1333395968.271:1714): avc:  denied  { unlink } for  pid=946 comm="NetworkManager" name="nm-dns-dnsmasq.conf" dev=tmpfs ino=6364673 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file


Hash: NetworkManager,NetworkManager_t,var_run_t,file,unlink

audit2allow

#============= NetworkManager_t ==============
allow NetworkManager_t var_run_t:file unlink;

audit2allow -R

#============= NetworkManager_t ==============
allow NetworkManager_t var_run_t:file unlink;
Comment 3 Miroslav Grepl 2012-04-05 09:18:17 EDT
/var/run/nm-dns-dnsmasq.conf is mislabeled.

What does

$ matchpathcon /var/run/nm-dns-dnsmasq.conf
Comment 4 Oron Peled 2012-04-05 18:23:42 EDT
As I said earlier, restorecon did not change its context.

However:
# matchpathcon /var/run/nm-dns-dnsmasq.conf
/var/run/nm-dns-dnsmasq.conf    system_u:object_r:var_run_t:s0

For reference:
# rpm -q selinux-policy-targeted
selinux-policy-targeted-3.9.16-52.fc15.noarch

Other related files (same before/after restorecon):
# ls -Z /var/run/nm-d*
-rw-r--r--. root root system_u:object_r:NetworkManager_var_run_t:s0 /var/run/nm-dhclient-eth0.conf
-rw-------. root root system_u:object_r:var_run_t:s0   /var/run/nm-dns-dnsmasq.conf
-rw-r--r--. root root system_u:object_r:dnsmasq_var_run_t:s0 /var/run/nm-dns-dnsmasq.pid
Comment 5 Oron Peled 2012-04-05 18:27:28 EDT
Nothing in the policy refers to /var/run/nm-dns-dnsmasq.conf:
# semanage fcontext -l | grep dnsmasq
/etc/dnsmasq\.conf                                 regular file       system_u:object_r:dnsmasq_etc_t:s0 
/etc/rc\.d/init\.d/dnsmasq                         regular file       system_u:object_r:dnsmasq_initrc_exec_t:s0 
/usr/sbin/dnsmasq                                  regular file       system_u:object_r:dnsmasq_exec_t:s0 
/var/lib/dnsmasq(/.*)?                             all files          system_u:object_r:dnsmasq_lease_t:s0 
/var/lib/misc/dnsmasq\.leases                      regular file       system_u:object_r:dnsmasq_lease_t:s0 
/var/log/dnsmasq.*                                 regular file       system_u:object_r:dnsmasq_var_log_t:s0 
/var/run/dnsmasq\.pid                              regular file       system_u:object_r:dnsmasq_var_run_t:s0 
/var/run/libvirt/network(/.*)?                     all files          system_u:object_r:dnsmasq_var_run_t:s0
Comment 6 Miroslav Grepl 2012-04-06 02:40:37 EDT
I see it now. This is on F15.
Comment 7 Miroslav Grepl 2012-04-06 02:46:48 EDT
If you execute

$ chcon -t NetworkManager_var_run_t /var/run/nm-dns-dnsmasq.conf

are you able to reproduce it?
Comment 8 Oron Peled 2012-04-06 06:11:44 EDT
Unsurprisingly it seems to solve the problem.
Testing:
 0. chcon -t NetworkManager_var_run_t /var/run/nm-dns-dnsmasq.conf
 1. Disconnect network cable, wait for NM to flag no network.
 2. Check for empty configuration (no dns server, 0 bytes file):
      # ls -ltr /var/run/nm-dns-dnsmasq.*
      -rw-------. 1 root root 0 Apr  6 13:05 /var/run/nm-dns-dnsmasq.conf
      -rw-r--r--. 1 root root 6 Apr  6 13:05 /var/run/nm-dns-dnsmasq.pid
 3. Reconnect network cable, wait for NM to flag network connection is ready.
 4. Check updated configuration file (non empty config, content OK):
      # ls -ltr /var/run/nm-dns-dnsmasq.*
      -rw-------. 1 root root 21 Apr  6 13:05 /var/run/nm-dns-dnsmasq.conf
      -rw-r--r--. 1 root root  6 Apr  6 13:05 /var/run/nm-dns-dnsmasq.pid
      # cat /var/run/nm-dns-dnsmasq.conf
      server=aaa.bbb.ccc.ddd
 5. No new messages in /var/log/audit/audit.log

Two questions:
 * Does it justify new policy release? (The workaround is OK for me, no urgent need)
 * Not SELinux issue, but why NM default config is without DNS caching?
Comment 9 Miroslav Grepl 2012-04-06 08:46:38 EDT
It is going to be fixed in the next release.
Comment 10 Fedora End Of Life 2012-08-07 16:23:35 EDT
This message is a notice that Fedora 15 is now at end of life. Fedora
has stopped maintaining and issuing updates for Fedora 15. It is
Fedora's policy to close all bug reports from releases that are no
longer maintained. At this time, all open bugs with a Fedora 'version'
of '15' have been closed as WONTFIX.

(Please note: Our normal process is to give advanced warning of this
occurring, but we forgot to do that. A thousand apologies.)

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen
this bug and simply change the 'version' to a later Fedora version.

Bug Reporter: Thank you for reporting this issue and we are sorry that
we were unable to fix it before Fedora 15 reached end of life. If you
would still like to see this bug fixed and are able to reproduce it
against a later version of Fedora, you are encouraged to click on
"Clone This Bug" (top right of this page) and open it against that
version of Fedora.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

The process we are following is described here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Note You need to log in before you can comment on or make changes to this bug.