1185195 – SELinux is preventing NetworkManager from 'create' accesses on the lnk_file .resolv.conf.NetworkManager.

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1185195 - SELinux is preventing NetworkManager from 'create' accesses on the lnk_file .resolv.conf.NetworkManager.

Summary: SELinux is preventing NetworkManager from 'create' accesses on the lnk_file ....

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	AcceptedBlocker abrt_hash:4fa1b290790...
Depends On:
Blocks:	F22AlphaBlocker
TreeView+	depends on / blocked

Reported:	2015-01-23 08:26 UTC by Kamil Páral
Modified:	2015-02-08 20:14 UTC (History)
CC List:	12 users (show)
Fixed In Version:	selinux-policy-3.13.1-108.fc22
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-02-07 19:21:43 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
anaconda 22.17-1 failure in rawhide if no networking (2.62 MB, image/jpeg) 2015-02-01 17:25 UTC, satellitgo	no flags	Details
View All

Description Kamil Páral 2015-01-23 08:26:28 UTC

Description of problem:
SELinux is preventing NetworkManager from 'create' accesses on the lnk_file .resolv.conf.NetworkManager.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow NetworkManager to have create access on the .resolv.conf.NetworkManager lnk_file
Then you need to change the label on .resolv.conf.NetworkManager
Do
# semanage fcontext -a -t FILE_TYPE '.resolv.conf.NetworkManager'
where FILE_TYPE is one of the following: named_cache_t. 
Then execute: 
restorecon -v '.resolv.conf.NetworkManager'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that NetworkManager should be allowed create access on the .resolv.conf.NetworkManager lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep NetworkManager /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:etc_t:s0
Target Objects                .resolv.conf.NetworkManager [ lnk_file ]
Source                        NetworkManager
Source Path                   NetworkManager
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-104.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.19.0-0.rc5.git1.1.fc22.x86_64 #1
                              SMP Wed Jan 21 15:03:02 UTC 2015 x86_64 x86_64
Alert Count                   16
First Seen                    2015-01-22 13:56:02 CET
Last Seen                     2015-01-23 09:22:53 CET
Local ID                      ff905837-2fcd-41ab-a15d-196ed1dddc4f

Raw Audit Messages
type=AVC msg=audit(1422001373.412:413): avc:  denied  { create } for  pid=701 comm="NetworkManager" name=".resolv.conf.NetworkManager" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=0


Hash: NetworkManager,NetworkManager_t,etc_t,lnk_file,create

Version-Release number of selected component:
selinux-policy-3.13.1-104.fc22.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.0-0.rc5.git1.1.fc22.x86_64
type:           libreport

Comment 1 Onyeibo Oku 2015-01-23 19:47:33 UTC

Description of problem:
fter a recent update.  Starting nmcli or internet from NetworkManager throws an AVC. Initially, this prevented internet access until I disabled Selinux, relabelled all files an enabled Selinux again.

Now there is internet access but the AVCs persist

Version-Release number of selected component:
selinux-policy-3.13.1-104.fc22.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.0-0.rc5.git0.1.fc22.x86_64
type:           libreport

Comment 2 Adam Williamson 2015-01-23 22:37:01 UTC

This is preventing live images from having network access, as /etc/resolv.conf is an empty file; note matching line in journalctl:

Jan 23 17:13:08 localhost NetworkManager[985]: <warn>  could not commit DNS changes: (0) Could not create symlink /etc/.resolv.conf.NetworkManager pointing to /var/run/NetworkManager/resolv.conf: Permission denied

I think it 'works' for Onyeibo after #c1 because NM managed to create resolv.conf while he was running with SELinux disabled, but if NM needed to *change* it at all, that wouldn't work.

Nominating as an Alpha blocker per criterion "It must be possible to run the default web browser and a terminal application from all release-blocking desktop environments. ... The web browser must be able to download files, load extensions (if applicable), and log into FAS." - it can't do that if the network doesn't work. https://fedoraproject.org/wiki/Fedora_22_Alpha_Release_Criteria#Required_applications

Comment 4 satellitgo 2015-01-25 02:11:00 UTC

seen in VirtualBox install of Fedora-Live-KDE-i686-rawhide-20150124.iso

Comment 5 satellitgo 2015-01-25 02:17:37 UTC

setenforce 0 in root terminal fixes VirtualBox install

Comment 6 satellitgo 2015-01-26 01:42:41 UTC

https://fedoraproject.org/wiki/Test_Results:Fedora_22_Rawhide_20150124_Installation#Default_boot_and_install

Comment 7 Dan Mossor [danofsatx] 2015-01-26 17:43:48 UTC

Discussed at Fedora Blocker Review Meeting 2015-01-26

http://meetbot.fedoraproject.org/fedora-blocker-review/2015-01-26/f22-blocker-review.2015-01-26-17.00.log.txt

AcceptedBlocker - This bug prevents anything requiring the network from working. Violates at least the following criterion: "The installed system must be able to download and install updates with the default console package manager."

Comment 8 satellitgo 2015-01-30 15:27:02 UTC

setenforce 0 required in
 fedora-live-soas-x86_64-rawhide-20150130
 fedora-live-MATE_Compiz-x86_64-rawhide-20150130
for networking to work

Comment 9 Daniel Walsh 2015-02-01 12:04:26 UTC

46a625380b15d972acabc8d6df11f2d953ec4687 should fix this in git.

Comment 10 satellitgo 2015-02-01 17:20:26 UTC

f22-Live-Workstation x86_64 rawhide 20150201 with anaconda 22.17-1 (NEW requires strong pswd)
Anaconda does not start if no networking found.
have to do ABRT suggestions in root terminal to get wireless working. Even when booted with setenforce 0 
wired networking does not disconnect.
 Not fixed

Comment 11 satellitgo 2015-02-01 17:25:02 UTC

Created attachment 986807 [details]
anaconda 22.17-1 failure in rawhide if no networking

anaconda 22.17-1 failure with no networking even with setenforce 0 
f22-20150201-rawhide-x86_64 workstation live

Comment 12 Adam Williamson 2015-02-01 17:44:36 UTC

There is no new package with the fix for this bug yet, so of course it's not fixed in a current nightly.

Comment 13 Lukas Vrabec 2015-02-02 10:49:52 UTC

commit 46a625380b15d972acabc8d6df11f2d953ec4687
Author: Dan Walsh <dwalsh>
Date:   Sun Feb 1 07:04:02 2015 -0500

    Allow apps that create net_conf_t content to create .resolv.conf.NetworkManager

Comment 14 Adam Williamson 2015-02-03 22:58:03 UTC

I built a live image with selinux-policy -107 and it does not fix the bug, for me. On boot, I still have no /etc/resolv.conf and a bunch of AVCs relating to .resolv.conf.NetworkManager and resolv.conf . Filing them now.

Comment 15 Adam Williamson 2015-02-03 22:59:23 UTC

Description of problem:
Happens on boot of a Rawhide live image with selinux-policy-3.13.1-107.fc22 (even though that was supposed to fix this stuff).

Version-Release number of selected component:
selinux-policy-3.13.1-107.fc22.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.0-0.rc7.git0.1.fc22.x86_64
type:           libreport

Comment 16 Adam Williamson 2015-02-03 23:01:34 UTC

Here's the 'details' of the alerts with -107:

SELinux is preventing NetworkManager from create access on the lnk_file .resolv.conf.NetworkManager.

Additional Information:
Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:etc_t:s0
Target Objects                .resolv.conf.NetworkManager [ lnk_file ]
Source                        NetworkManager
Source Path                   NetworkManager
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-107.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux localhost 3.19.0-0.rc7.git0.1.fc22.x86_64 #1
                              SMP Mon Feb 2 15:14:19 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-02-03 17:57:03 EST
Last Seen                     2015-02-03 17:57:03 EST
Local ID                      148dda01-6313-45ab-b744-4d4873e97ae0

Raw Audit Messages
type=AVC msg=audit(1423004223.917:442): avc:  denied  { create } for  pid=991 comm="NetworkManager" name=".resolv.conf.NetworkManager" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=1

------------------

SELinux is preventing NetworkManager from rename access on the lnk_file .resolv.conf.NetworkManager.

Additional Information:
Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:etc_t:s0
Target Objects                .resolv.conf.NetworkManager [ lnk_file ]
Source                        NetworkManager
Source Path                   NetworkManager
Port                          <Unknown>
Host                          localhost
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-107.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     localhost
Platform                      Linux localhost 3.19.0-0.rc7.git0.1.fc22.x86_64 #1
                              SMP Mon Feb 2 15:14:19 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-02-03 17:57:03 EST
Last Seen                     2015-02-03 17:57:03 EST
Local ID                      8579450b-7169-4118-bbe3-a38e230a693e

Raw Audit Messages
type=AVC msg=audit(1423004223.917:443): avc:  denied  { rename } for  pid=991 comm="NetworkManager" name=".resolv.conf.NetworkManager" dev="dm-0" ino=311148 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=1

Comment 17 Lukas Vrabec 2015-02-04 12:12:52 UTC

commit 55ea073f65f979793a0c47d78cc82ffeb8401f1a
Author: Lukas Vrabec <lvrabec>
Date:   Tue Feb 3 19:01:50 2015 +0100

    Label /var/run/NetworkManager/resolv.conf.tmp as net_conf_t.

commit cc28df82cdec572ca816f914eea5006aa5c2e7a6
Author: Lukas Vrabec <lvrabec>
Date:   Mon Feb 2 18:27:17 2015 +0100

    Fix labels, improve sysnet_manage_config interface.

I add fix for this issue. Also, doing build for F22 at the moment. Could you test this with selinux-policy-3.13.1-108.fc22 ?
Url: http://koji.fedoraproject.org/koji/taskinfo?taskID=8817298

Thank you.

Comment 18 lejeczek 2015-02-04 15:55:30 UTC

Description of problem:
probly related to networkManager's dispatcher having a script tha tampers with /etc/resolv.conf , etc.

Version-Release number of selected component:
selinux-policy-3.13.1-107.fc22.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.0-0.rc7.git0.3.fc22.x86_64
type:           libreport

Comment 19 Adam Williamson 2015-02-07 19:21:43 UTC

OK, looks to be properly fixed with -110. Workstation live image boots and connects to the network with no AVCs.

Comment 20 Lukas Vrabec 2015-02-08 20:14:14 UTC

Thank you for testing Adam.

Note You need to log in before you can comment on or make changes to this bug.