Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1188888
Summary: | SELinux is preventing chronyd from 'read' accesses on the file resolv.conf. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Adam Williamson <awilliam> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | rawhide | CC: | dominick.grift, dwalsh, lvrabec, mgrepl, mruckman, peljasz, plautrba, robatino |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:e8b6f3862300de5e59888580e73e5931211a383882e2e1e76048dffeeab4e024 | ||
Fixed In Version: | selinux-policy-3.13.1-108.fc22 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-02-09 17:40:43 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1043130 |
Description
Adam Williamson
2015-02-03 23:08:26 UTC
Proposing as a Final blocker: "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop." - https://fedoraproject.org/wiki/Fedora_22_Final_Release_Criteria#SELinux_and_crash_notifications . There's a similar denial for 'open': Additional Information: Source Context system_u:system_r:chronyd_t:s0 Target Context system_u:object_r:NetworkManager_var_run_t:s0 Target Objects /run/NetworkManager/resolv.conf [ file ] Source chronyd Source Path chronyd Port <Unknown> Host localhost Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-107.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name localhost Platform Linux localhost 3.19.0-0.rc7.git0.1.fc22.x86_64 #1 SMP Mon Feb 2 15:14:19 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-02-03 17:57:04 EST Last Seen 2015-02-03 17:57:04 EST Local ID 031b40cb-56ae-43ae-9a77-c095b974d2d4 Raw Audit Messages type=AVC msg=audit(1423004224.24:448): avc: denied { open } for pid=848 comm="chronyd" path="/run/NetworkManager/resolv.conf" dev="tmpfs" ino=20476 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=file permissive=1 And one for 'getattr': Additional Information: Source Context system_u:system_r:chronyd_t:s0 Target Context system_u:object_r:NetworkManager_var_run_t:s0 Target Objects /run/NetworkManager/resolv.conf [ file ] Source chronyd Source Path chronyd Port <Unknown> Host localhost Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-107.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name localhost Platform Linux localhost 3.19.0-0.rc7.git0.1.fc22.x86_64 #1 SMP Mon Feb 2 15:14:19 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-02-03 17:57:04 EST Last Seen 2015-02-03 17:57:04 EST Local ID 36ec33fe-3d43-4549-9eb9-4712273531d2 Raw Audit Messages type=AVC msg=audit(1423004224.24:449): avc: denied { getattr } for pid=848 comm="chronyd" path="/run/NetworkManager/resolv.conf" dev="tmpfs" ino=20476 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=file permissive=1 Description of problem: networkManager's dispatcher is supposed to run a script that changes /etc/resolv.conf & /etc/hosts Version-Release number of selected component: selinux-policy-3.13.1-107.fc22.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.19.0-0.rc7.git0.1.fc22.x86_64 type: libreport commit cc28df82cdec572ca816f914eea5006aa5c2e7a6 Author: Lukas Vrabec <lvrabec> Date: Mon Feb 2 18:27:17 2015 +0100 Fix labels, improve sysnet_manage_config interface. commit 55ea073f65f979793a0c47d78cc82ffeb8401f1a Author: Lukas Vrabec <lvrabec> Date: Tue Feb 3 19:01:50 2015 +0100 Label /var/run/NetworkManager/resolv.conf.tmp as net_conf_t. I don't see this any more with the recent selinux-policy-3.13.1-110.fc22.noarch build. it seems to be fine, my problem though might have been caused by unconfined label on the script. Thanks. Works fine with 110 for me too. |