Bug 875648 - Allow dnsmasq to access /etc/NetworkManager/dnsmasq.d
Summary: Allow dnsmasq to access /etc/NetworkManager/dnsmasq.d
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 17
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-11-12 09:39 UTC by Jirka Klimes
Modified: 2016-01-04 06:02 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-12-20 15:57:53 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Jirka Klimes 2012-11-12 09:39:21 UTC 
Please allow 'dnsmasq' binary to open '/etc/NetworkManager/dnsmasq.d' directory and read files from it.

NetworkManager uses the directory for custom dnsmasq's configuration not to conflict with default/global dnsnmasq configs.
For more information you can look at this commit: http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=ac152ece0206b4cde28acf78abb21518e67513e1

The problem has been discovered while analyzing bug 873621.

AVC:
Nov 12 10:21:58 gromit kernel: [ 7233.682037] type=1400 audit(1352712118.417:17): avc:  denied  { read } for  pid=10710 comm="dnsmasq" name="dnsmasq.d" dev="sda2" ino=605483 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:NetworkManager_etc_t:s0 tclass=dir
Nov 12 10:21:58 gromit kernel: [ 7233.682051] type=1400 audit(1352712118.418:18): avc:  denied  { open } for  pid=10710 comm="dnsmasq" path="/etc/NetworkManager/dnsmasq.d" dev="sda2" ino=605483 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:NetworkManager_etc_t:s0 tclass=dir
Comment 1 Miroslav Grepl 2012-11-12 10:12:30 UTC 
Fixed in selinux-policy-3.10.0-160.fc17
Comment 2 Jirka Klimes 2012-11-12 10:45:58 UTC 
Thanks a lot.
Comment 3 Miroslav Grepl 2012-11-12 13:33:45 UTC 
No problem. It will be as a new update soon.
Comment 4 Ian Pilcher 2012-11-12 16:16:17 UTC 
(In reply to comment #1)
> Fixed in selinux-policy-3.10.0-160.fc17

I really need this, so I'd love to test, but I can't find this in Koji.  Can you provide a pointer to the SRPM, patch, git repo, etc?

Thanks!
Comment 5 Miroslav Grepl 2012-11-13 11:58:33 UTC 
Sure, going to do a new build today.
Comment 6 Miroslav Grepl 2012-11-13 12:59:03 UTC 
You can download it from koji now.

rpms:
 http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.10.0/160.fc17/noarch/selinux-policy-3.10.0-160.fc17.noarch.rpm
 http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.10.0/160.fc17/noarch/selinux-policy-devel-3.10.0-160.fc17.noarch.rpm
 http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.10.0/160.fc17/noarch/selinux-policy-doc-3.10.0-160.fc17.noarch.rpm
 http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.10.0/160.fc17/noarch/selinux-policy-targeted-3.10.0-160.fc17.noarch.rpm
Comment 7 Fedora Update System 2012-11-21 11:55:11 UTC 
selinux-policy-3.10.0-161.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-161.fc17
Comment 8 Fedora Update System 2012-11-22 03:58:38 UTC 
Package selinux-policy-3.10.0-161.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-161.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-18787/selinux-policy-3.10.0-161.fc17
then log in and leave karma (feedback).
Comment 9 Fedora Update System 2012-12-20 15:57:59 UTC 
selinux-policy-3.10.0-161.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.