Description of problem: SELinux is preventing /usr/sbin/dnsmasq from 'write' accesses on the directory /var/run/NetworkManager/dnsmasq.pid. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that dnsmasq should be allowed write access on the dnsmasq.pid directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep dnsmasq /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:dnsmasq_t:s0 Target Context system_u:object_r:NetworkManager_var_run_t:s0 Target Objects /var/run/NetworkManager/dnsmasq.pid [ dir ] Source dnsmasq Source Path /usr/sbin/dnsmasq Port <Unknown> Host (removed) Source RPM Packages dnsmasq-2.65-4.fc18.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-76.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.7.6-201.fc18.x86_64 #1 SMP Mon Feb 4 15:54:08 UTC 2013 x86_64 x86_64 Alert Count 5 First Seen 2013-02-13 12:43:47 CET Last Seen 2013-02-15 08:34:37 CET Local ID 6bd300ef-713c-4cbb-8911-366f6c6186fe Raw Audit Messages type=AVC msg=audit(1360913677.502:143): avc: denied { write } for pid=4785 comm="dnsmasq" name="NetworkManager" dev="tmpfs" ino=14857 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=dir type=AVC msg=audit(1360913677.502:143): avc: denied { add_name } for pid=4785 comm="dnsmasq" name="dnsmasq.pid" scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=dir type=AVC msg=audit(1360913677.502:143): avc: denied { create } for pid=4785 comm="dnsmasq" name="dnsmasq.pid" scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=file type=AVC msg=audit(1360913677.502:143): avc: denied { write } for pid=4785 comm="dnsmasq" path="/run/NetworkManager/dnsmasq.pid" dev="tmpfs" ino=559446 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=file type=SYSCALL msg=audit(1360913677.502:143): arch=x86_64 syscall=open success=yes exit=ENOEXEC a0=1f5eb50 a1=2c1 a2=1a4 a3=18 items=3 ppid=826 pid=4785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=dnsmasq exe=/usr/sbin/dnsmasq subj=system_u:system_r:dnsmasq_t:s0 key=(null) type=CWD msg=audit(1360913677.502:143): cwd=/ type=PATH msg=audit(1360913677.502:143): item=0 name=/var/run/NetworkManager/dnsmasq.pid inode=14857 dev=00:11 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:NetworkManager_var_run_t:s0 type=PATH msg=audit(1360913677.502:143): item=1 name=(null) inode=14857 dev=00:11 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:NetworkManager_var_run_t:s0 type=PATH msg=audit(1360913677.502:143): item=2 name=(null) inode=559446 dev=00:11 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:NetworkManager_var_run_t:s0 Hash: dnsmasq,dnsmasq_t,NetworkManager_var_run_t,dir,write audit2allow #============= dnsmasq_t ============== #!!!! The source type 'dnsmasq_t' can write to a 'dir' of the following types: # dnsmasq_var_log_t, dnsmasq_var_run_t, dnsmasq_lease_t, var_log_t, crond_var_run_t, var_lib_t, var_run_t, virt_var_lib_t, virt_var_run_t allow dnsmasq_t NetworkManager_var_run_t:dir { write add_name }; allow dnsmasq_t NetworkManager_var_run_t:file { write create }; audit2allow -R #============= dnsmasq_t ============== #!!!! The source type 'dnsmasq_t' can write to a 'dir' of the following types: # dnsmasq_var_log_t, dnsmasq_var_run_t, dnsmasq_lease_t, var_log_t, crond_var_run_t, var_lib_t, var_run_t, virt_var_lib_t, virt_var_run_t allow dnsmasq_t NetworkManager_var_run_t:dir { write add_name }; allow dnsmasq_t NetworkManager_var_run_t:file { write create }; Additional info: hashmarkername: setroubleshoot kernel: 3.7.6-201.fc18.x86_64 type: libreport
Is this some kind of new config? Did you modify anything or was this default?
I just ran into this today. I made no config changes, but it was after a big yum update. Among many other packages, that update included selinux-policy-3.11.1-73 to 3.11.1-78 and NetworkManager-1:0.9.7.0-12.git20121004 to 1:0.9.7.997-2. I was already on dnsmasq-2.65-4 from updates-testing without this having this issue.
Just to be sure, you need "dns=dnsmasq" in /etc/NetworkManager/NetworkManager.conf to run into this. Downgrading to NetworkManager-1:0.9.7.0-12.git20121004 fixed it for me. I believe it is due to this NM commit: commit d82669d3fdaa7ec70ef1b64941c101ac810c394b Author: Pavel Šimerda <psimerda> Date: Thu Aug 23 11:53:41 2012 +0200 build: unify NetworkManager path handling (some paths are changed) Use autoconf/automake variables for NetworkManager paths. Use NetworkManager subdirectory where appropriate. Files in /var/run (or /run on some distros) are moved into a separate directory as is usual with other daemons. It makes the filesystem more readable and file prefixing unnecessary. /var/run/NetworkManager.pid -> /var/run/NetworkManager/NetworkManager.pid /var/run/nm-dns-dnsmasq.pid -> /var/run/NetworkManager/dnsmasq.pid /var/run/nm-dns-dnsmasq.conf -> /var/run/NetworkManager/dnsmasq.conf The /var/run/NetworkManager directory is created at runtime, if it doesn't exist. Note: Path-based security policies like SELinux and AppArmor may need to be adapted. So that last note indeed seems relevant. :)
(In reply to comment #3) > Downgrading to NetworkManager-1:0.9.7.0-12.git20121004 fixed it for me. > > I believe it is due to this NM commit: > > commit d82669d3fdaa7ec70ef1b64941c101ac810c394b > Date: Thu Aug 23 11:53:41 2012 +0200 Just to be clear, that's really the AuthorDate; the CommitDate is Nov 5, which would be why the git20121004 snapshot was fine (using the old paths).
Started VPN connection. Package: (null) OS Release: Fedora release 18 (Spherical Cow)
48d3bf566e6ec5c024e4f1d358c509c59287f762 Fixes this in Rawhide.
Backported. commit f4a4ca58379e260580ac2a4493360fcd80f235f8 Author: Dan Walsh <dwalsh> Date: Wed Feb 20 10:32:33 2013 +0100 Allow dnsmasq to create content in /var/run/NetworkManager
NetworkManager is configured with dnsmasq. After enabling any of the configured connection in NM I get this SELinux alert. Package: (null) OS Release: Fedora release 18 (Spherical Cow)
A (In reply to comment #7) > Backported. It wasn't obvious to me until I actually needed the functionality, but this does break split DNS. I've had to put my system into permissive mode to get work done -- for the first time in a very long time. An updated build (or even a link to the actual repo/patch) would be greatly appreciated.
selinux-policy-3.11.1-81.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-81.fc18
selinux-policy-3.11.1-81.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.