1188888 – SELinux is preventing chronyd from 'read' accesses on the file resolv.conf.

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1188888 - SELinux is preventing chronyd from 'read' accesses on the file resolv.conf.

Summary: SELinux is preventing chronyd from 'read' accesses on the file resolv.conf.

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:e8b6f3862300de5e59888580e73...
Depends On:
Blocks:	F22FinalBlocker
TreeView+	depends on / blocked

Reported:	2015-02-03 23:08 UTC by Adam Williamson
Modified:	2015-02-09 17:40 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-3.13.1-108.fc22
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-02-09 17:40:43 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Adam Williamson 2015-02-03 23:08:26 UTC

Description of problem:
Happens of boot of a Rawhide Workstation live image with selinux-policy-3.13.1-107.fc22.
SELinux is preventing chronyd from 'read' accesses on the file resolv.conf.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that chronyd should be allowed read access on the resolv.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep chronyd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:chronyd_t:s0
Target Context                system_u:object_r:NetworkManager_var_run_t:s0
Target Objects                resolv.conf [ file ]
Source                        chronyd
Source Path                   chronyd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-107.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.19.0-0.rc7.git0.1.fc22.x86_64 #1
                              SMP Mon Feb 2 15:14:19 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-02-03 17:57:04 EST
Last Seen                     2015-02-03 17:57:04 EST
Local ID                      5505d495-0668-4216-afe2-d23e35d2d26f

Raw Audit Messages
type=AVC msg=audit(1423004224.24:447): avc:  denied  { read } for  pid=848 comm="chronyd" name="resolv.conf" dev="tmpfs" ino=20476 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=file permissive=1


Hash: chronyd,chronyd_t,NetworkManager_var_run_t,file,read

Version-Release number of selected component:
selinux-policy-3.13.1-107.fc22.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.0-0.rc7.git0.1.fc22.x86_64
type:           libreport

Comment 1 Adam Williamson 2015-02-03 23:09:06 UTC

Proposing as a Final blocker: "There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop." - https://fedoraproject.org/wiki/Fedora_22_Final_Release_Criteria#SELinux_and_crash_notifications .

Comment 2 Adam Williamson 2015-02-03 23:09:52 UTC

There's a similar denial for 'open':

Additional Information:
Source Context                system_u:system_r:chronyd_t:s0
Target Context                system_u:object_r:NetworkManager_var_run_t:s0
Target Objects                /run/NetworkManager/resolv.conf [ file ]
Source                        chronyd
Source Path                   chronyd
Port                          <Unknown>
Host                          localhost
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-107.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     localhost
Platform                      Linux localhost 3.19.0-0.rc7.git0.1.fc22.x86_64 #1
                              SMP Mon Feb 2 15:14:19 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-02-03 17:57:04 EST
Last Seen                     2015-02-03 17:57:04 EST
Local ID                      031b40cb-56ae-43ae-9a77-c095b974d2d4

Raw Audit Messages
type=AVC msg=audit(1423004224.24:448): avc:  denied  { open } for  pid=848 comm="chronyd" path="/run/NetworkManager/resolv.conf" dev="tmpfs" ino=20476 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=file permissive=1

Comment 3 Adam Williamson 2015-02-03 23:10:32 UTC

And one for 'getattr':

Additional Information:
Source Context                system_u:system_r:chronyd_t:s0
Target Context                system_u:object_r:NetworkManager_var_run_t:s0
Target Objects                /run/NetworkManager/resolv.conf [ file ]
Source                        chronyd
Source Path                   chronyd
Port                          <Unknown>
Host                          localhost
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-107.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     localhost
Platform                      Linux localhost 3.19.0-0.rc7.git0.1.fc22.x86_64 #1
                              SMP Mon Feb 2 15:14:19 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-02-03 17:57:04 EST
Last Seen                     2015-02-03 17:57:04 EST
Local ID                      36ec33fe-3d43-4549-9eb9-4712273531d2

Raw Audit Messages
type=AVC msg=audit(1423004224.24:449): avc:  denied  { getattr } for  pid=848 comm="chronyd" path="/run/NetworkManager/resolv.conf" dev="tmpfs" ino=20476 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=file permissive=1

Comment 4 lejeczek 2015-02-04 12:22:59 UTC

Description of problem:
networkManager's dispatcher is supposed to run a script that changes /etc/resolv.conf & /etc/hosts

Version-Release number of selected component:
selinux-policy-3.13.1-107.fc22.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.0-0.rc7.git0.1.fc22.x86_64
type:           libreport

Comment 5 Lukas Vrabec 2015-02-04 13:30:37 UTC

commit cc28df82cdec572ca816f914eea5006aa5c2e7a6
Author: Lukas Vrabec <lvrabec>
Date:   Mon Feb 2 18:27:17 2015 +0100

    Fix labels, improve sysnet_manage_config interface.

commit 55ea073f65f979793a0c47d78cc82ffeb8401f1a
Author: Lukas Vrabec <lvrabec>
Date:   Tue Feb 3 19:01:50 2015 +0100

    Label /var/run/NetworkManager/resolv.conf.tmp as net_conf_t.

Comment 6 Mike Ruckman 2015-02-07 05:31:38 UTC

I don't see this any more with the recent selinux-policy-3.13.1-110.fc22.noarch build.

Comment 7 lejeczek 2015-02-07 12:58:28 UTC

it seems to be fine, my problem though might have been caused by unconfined label on the script. Thanks.

Comment 8 Adam Williamson 2015-02-09 17:40:43 UTC

Works fine with 110 for me too.

Note You need to log in before you can comment on or make changes to this bug.