Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1188888

Summary: SELinux is preventing chronyd from 'read' accesses on the file resolv.conf.
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: dominick.grift, dwalsh, lvrabec, mgrepl, mruckman, peljasz, plautrba, robatino
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:e8b6f3862300de5e59888580e73e5931211a383882e2e1e76048dffeeab4e024
Fixed In Version: selinux-policy-3.13.1-108.fc22 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-09 17:40:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1043130    

Description Adam Williamson 2015-02-03 23:08:26 UTC
Description of problem:
Happens of boot of a Rawhide Workstation live image with selinux-policy-3.13.1-107.fc22.
SELinux is preventing chronyd from 'read' accesses on the file resolv.conf.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that chronyd should be allowed read access on the resolv.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep chronyd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:chronyd_t:s0
Target Context                system_u:object_r:NetworkManager_var_run_t:s0
Target Objects                resolv.conf [ file ]
Source                        chronyd
Source Path                   chronyd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-107.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.19.0-0.rc7.git0.1.fc22.x86_64 #1
                              SMP Mon Feb 2 15:14:19 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-02-03 17:57:04 EST
Last Seen                     2015-02-03 17:57:04 EST
Local ID                      5505d495-0668-4216-afe2-d23e35d2d26f

Raw Audit Messages
type=AVC msg=audit(1423004224.24:447): avc:  denied  { read } for  pid=848 comm="chronyd" name="resolv.conf" dev="tmpfs" ino=20476 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=file permissive=1


Hash: chronyd,chronyd_t,NetworkManager_var_run_t,file,read

Version-Release number of selected component:
selinux-policy-3.13.1-107.fc22.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.0-0.rc7.git0.1.fc22.x86_64
type:           libreport

Comment 1 Adam Williamson 2015-02-03 23:09:06 UTC
Proposing as a Final blocker: "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop." - https://fedoraproject.org/wiki/Fedora_22_Final_Release_Criteria#SELinux_and_crash_notifications .

Comment 2 Adam Williamson 2015-02-03 23:09:52 UTC
There's a similar denial for 'open':

Additional Information:
Source Context                system_u:system_r:chronyd_t:s0
Target Context                system_u:object_r:NetworkManager_var_run_t:s0
Target Objects                /run/NetworkManager/resolv.conf [ file ]
Source                        chronyd
Source Path                   chronyd
Port                          <Unknown>
Host                          localhost
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-107.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     localhost
Platform                      Linux localhost 3.19.0-0.rc7.git0.1.fc22.x86_64 #1
                              SMP Mon Feb 2 15:14:19 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-02-03 17:57:04 EST
Last Seen                     2015-02-03 17:57:04 EST
Local ID                      031b40cb-56ae-43ae-9a77-c095b974d2d4

Raw Audit Messages
type=AVC msg=audit(1423004224.24:448): avc:  denied  { open } for  pid=848 comm="chronyd" path="/run/NetworkManager/resolv.conf" dev="tmpfs" ino=20476 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=file permissive=1

Comment 3 Adam Williamson 2015-02-03 23:10:32 UTC
And one for 'getattr':

Additional Information:
Source Context                system_u:system_r:chronyd_t:s0
Target Context                system_u:object_r:NetworkManager_var_run_t:s0
Target Objects                /run/NetworkManager/resolv.conf [ file ]
Source                        chronyd
Source Path                   chronyd
Port                          <Unknown>
Host                          localhost
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-107.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     localhost
Platform                      Linux localhost 3.19.0-0.rc7.git0.1.fc22.x86_64 #1
                              SMP Mon Feb 2 15:14:19 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-02-03 17:57:04 EST
Last Seen                     2015-02-03 17:57:04 EST
Local ID                      36ec33fe-3d43-4549-9eb9-4712273531d2

Raw Audit Messages
type=AVC msg=audit(1423004224.24:449): avc:  denied  { getattr } for  pid=848 comm="chronyd" path="/run/NetworkManager/resolv.conf" dev="tmpfs" ino=20476 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=file permissive=1

Comment 4 lejeczek 2015-02-04 12:22:59 UTC
Description of problem:
networkManager's dispatcher is supposed to run a script that changes /etc/resolv.conf & /etc/hosts

Version-Release number of selected component:
selinux-policy-3.13.1-107.fc22.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.0-0.rc7.git0.1.fc22.x86_64
type:           libreport

Comment 5 Lukas Vrabec 2015-02-04 13:30:37 UTC
commit cc28df82cdec572ca816f914eea5006aa5c2e7a6
Author: Lukas Vrabec <lvrabec>
Date:   Mon Feb 2 18:27:17 2015 +0100

    Fix labels, improve sysnet_manage_config interface.

commit 55ea073f65f979793a0c47d78cc82ffeb8401f1a
Author: Lukas Vrabec <lvrabec>
Date:   Tue Feb 3 19:01:50 2015 +0100

    Label /var/run/NetworkManager/resolv.conf.tmp as net_conf_t.

Comment 6 Mike Ruckman 2015-02-07 05:31:38 UTC
I don't see this any more with the recent selinux-policy-3.13.1-110.fc22.noarch build.

Comment 7 lejeczek 2015-02-07 12:58:28 UTC
it seems to be fine, my problem though might have been caused by unconfined label on the script. Thanks.

Comment 8 Adam Williamson 2015-02-09 17:40:43 UTC
Works fine with 110 for me too.