Bug 876757 - SELinux is preventing NetworkManager from 'unlink' accesses on the file /etc/resolv.conf.
Summary: SELinux is preventing NetworkManager from 'unlink' accesses on the file /etc/...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 17
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:77261c568d4cfcbf07123b7b7e3...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-11-14 21:38 UTC by Rudy Suryanto
Modified: 2012-11-15 15:19 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-11-15 10:01:08 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
File: type (9 bytes, text/plain)
2012-11-14 21:38 UTC, Rudy Suryanto
no flags Details
File: hashmarkername (14 bytes, text/plain)
2012-11-14 21:38 UTC, Rudy Suryanto
no flags Details

Description Rudy Suryanto 2012-11-14 21:38:17 UTC
Additional info:
libreport version: 2.0.18
kernel:         3.6.5-1.fc17.x86_64

description:
:SELinux is preventing NetworkManager from 'unlink' accesses on the file /etc/resolv.conf.
:
:*****  Plugin restorecon (94.8 confidence) suggests  *************************
:
:If you want to fix the label. 
:/etc/resolv.conf default label should be net_conf_t.
:Then you can run restorecon.
:Do
:# /sbin/restorecon -v /etc/resolv.conf
:
:*****  Plugin catchall_labels (5.21 confidence) suggests  ********************
:
:If you want to allow NetworkManager to have unlink access on the resolv.conf file
:Then you need to change the label on /etc/resolv.conf
:Do
:# semanage fcontext -a -t FILE_TYPE '/etc/resolv.conf'
:where FILE_TYPE is one of the following: dnsmasq_var_run_t, NetworkManager_etc_rw_t, named_cache_t, NetworkManager_log_t, NetworkManager_tmp_t, dhcpc_state_t, NetworkManager_var_lib_t, NetworkManager_var_run_t, pppd_var_run_t, dhcpc_var_run_t, net_conf_t, root_t. 
:Then execute: 
:restorecon -v '/etc/resolv.conf'
:
:
:*****  Plugin catchall (1.44 confidence) suggests  ***************************
:
:If you believe that NetworkManager should be allowed unlink access on the resolv.conf file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep NetworkManager /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:NetworkManager_t:s0
:Target Context                unconfined_u:object_r:etc_t:s0
:Target Objects                /etc/resolv.conf [ file ]
:Source                        NetworkManager
:Source Path                   NetworkManager
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-159.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.5-1.fc17.x86_64 #1 SMP Wed Oct
:                              31 19:37:18 UTC 2012 x86_64 x86_64
:Alert Count                   1
:First Seen                    2012-11-15 04:31:42 WIT
:Last Seen                     2012-11-15 04:31:42 WIT
:Local ID                      4789d75b-432f-4e78-b9fa-423e1bd676ac
:
:Raw Audit Messages
:type=AVC msg=audit(1352928702.25:63): avc:  denied  { unlink } for  pid=630 comm="NetworkManager" name="resolv.conf" dev="sda1" ino=136779 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file
:
:
:Hash: NetworkManager,NetworkManager_t,etc_t,file,unlink
:
:audit2allow
:
:#============= NetworkManager_t ==============
:allow NetworkManager_t etc_t:file unlink;
:
:audit2allow -R
:
:#============= NetworkManager_t ==============
:allow NetworkManager_t etc_t:file unlink;
:


Potential duplicate bug: 666454

Comment 1 Rudy Suryanto 2012-11-14 21:38:22 UTC
Created attachment 645182 [details]
File: type

Comment 2 Rudy Suryanto 2012-11-14 21:38:26 UTC
Created attachment 645183 [details]
File: hashmarkername

Comment 3 Miroslav Grepl 2012-11-15 10:01:08 UTC
# matchpathcon /etc/resolv.conf
/etc/resolv.conf	system_u:object_r:net_conf_t:s0

Which means the resolve.conf is mislabeled. If you execute

# restorecon -Rv /etc/resolve.conf

are you able to reproduce it? If so, please reopen the bug. Thank you.

Comment 4 Daniel Walsh 2012-11-15 15:19:49 UTC
BTW The alert told you how do fix. Any idea how you got this mislabeled?


Note You need to log in before you can comment on or make changes to this bug.