Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1075193 - SELinux prevents applications from using /etc/resolv.conf symlink to /run/systemd/network/resolv.conf when using systemd-networkd
Summary: SELinux prevents applications from using /etc/resolv.conf symlink to /run/sys...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-03-11 16:51 UTC by Anthony Messina
Modified: 2014-03-14 08:17 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-03-12 09:26:30 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Anthony Messina 2014-03-11 16:51:33 UTC 
According to http://www.freedesktop.org/software/systemd/man/systemd-networkd.service.html, when using systemd-networkd, applications which use /etc/resolv.conf should do do via a symlink placed in /etc:

/etc/resolv.conf -> /run/systemd/network/resolv.conf

With the SELinux policy available now, applications such as sssd, Postfix, sshd, KDE, etc. are prevented from doing so with AVCs similar to the following example (for sssd):


type=AVC msg=audit(1394554663.170:26): avc:  denied  { read } for  pid=646 comm="sssd_be" name="resolv.conf" dev="tmpfs" ino=22311 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file


type=AVC msg=audit(1394554663.170:26): avc:  denied  { open } for  pid=646 comm="sssd_be" path="/run/systemd/network/resolv.conf" dev="tmpfs" ino=22311 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file


type=SYSCALL msg=audit(1394554663.170:26): arch=x86_64 syscall=open success=yes exit=ENOTBLK a0=7f526b115c09 a1=80000 a2=1b6 a3=fffffffffffff5a3 items=0 ppid=640 pid=646 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sssd_be exe=/usr/libexec/sssd/sssd_be subj=system_u:system_r:sssd_t:s0 key=(null)
Comment 1 Miroslav Grepl 2014-03-12 09:26:30 UTC 
Ok, I added more fixes for this bug.

commit a047b670f05b23a282e483eea187d45308950a95
Author: Miroslav Grepl <mgrepl>
Date:   Wed Mar 12 10:23:25 2014 +0100

    Add /usr/lib/systemd/systemd-networkd policy

commit f28547d84b0da62f4af4e6dfb867cd40d46ac55b
Author: Miroslav Grepl <mgrepl>
Date:   Wed Mar 12 10:18:47 2014 +0100

    Add sysnet_manage_config_dirs()

commit 1d286b58d43466e67172b00598c9c7d469286f43
Author: Miroslav Grepl <mgrepl>
Date:   Wed Mar 12 10:02:09 2014 +0100

    Add support for /var/run/systemd/network and labeled it as net_conf_t
Comment 2 Anthony Messina 2014-03-13 14:35:43 UTC 
Closer...  Using systemd-networkd for DHCP.  Thanks.

type=AVC msg=audit(1394721186.19:21): avc:  denied  { create } for  pid=639 comm="systemd-network" scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:system_r:systemd_networkd_t:s0 tclass=packet_socket


type=AVC msg=audit(1394721186.19:21): avc:  denied  { net_raw } for  pid=639 comm="systemd-network" capability=13  scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:system_r:systemd_networkd_t:s0 tclass=capability

type=SYSCALL msg=audit(1394721186.19:21): arch=x86_64 syscall=socket success=yes exit=EAGAIN a0=11 a1=80802 a2=8 a3=7f9b6f58c440 items=0 ppid=1 pid=639 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-network exe=/usr/lib/systemd/systemd-networkd subj=system_u:system_r:systemd_networkd_t:s0 key=(null)

type=AVC msg=audit(1394721186.19:23): avc:  denied  { bind } for  pid=639 comm="systemd-network" scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:system_r:systemd_networkd_t:s0 tclass=packet_socket

type=SYSCALL msg=audit(1394721186.19:23): arch=x86_64 syscall=bind success=yes exit=0 a0=b a1=7f9b712f0c38 a2=14 a3=7fffca947f94 items=0 ppid=1 pid=639 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-network exe=/usr/lib/systemd/systemd-networkd subj=system_u:system_r:systemd_networkd_t:s0 key=(null)

type=AVC msg=audit(1394721186.23:24): avc:  denied  { getattr } for  pid=639 comm="systemd-network" path="socket:[17280]" dev="sockfs" ino=17280 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:system_r:systemd_networkd_t:s0 tclass=packet_socket

type=SYSCALL msg=audit(1394721186.23:24): arch=x86_64 syscall=ioctl success=yes exit=0 a0=b a1=541b a2=7fffca948094 a3=0 items=0 ppid=1 pid=639 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-network exe=/usr/lib/systemd/systemd-networkd subj=system_u:system_r:systemd_networkd_t:s0 key=(null)

type=AVC msg=audit(1394721186.19:22): avc:  denied  { setopt } for  pid=639 comm="systemd-network" scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:system_r:systemd_networkd_t:s0 tclass=packet_socket

type=SYSCALL msg=audit(1394721186.19:22): arch=x86_64 syscall=setsockopt success=yes exit=0 a0=b a1=107 a2=8 a3=7fffca947f94 items=0 ppid=1 pid=639 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-network exe=/usr/lib/systemd/systemd-networkd subj=system_u:system_r:systemd_networkd_t:s0 key=(null)
Comment 3 Miroslav Grepl 2014-03-14 08:17:54 UTC 
Thank you for testing. Additional fixes have been added.
Note You need to log in before you can comment on or make changes to this bug.