Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1242567 - please update selinux-policy to enable dnssec-trigger to restart NetworkManager
Summary: please update selinux-policy to enable dnssec-trigger to restart NetworkManager
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 22
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: Default_Local_DNS_Resolver
TreeView+ depends on / blocked
 
Reported: 2015-07-13 15:25 UTC by Tomáš Hozza
Modified: 2015-07-15 13:12 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-07-15 13:12:12 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
sealert -a /var/log/audit/audit.log -b > audit.txt in permissive mode (deleted)
2015-07-13 15:25 UTC, Tomáš Hozza
no flags Details

Description Tomáš Hozza 2015-07-13 15:25:48 UTC
Created attachment 1051461 [details]
sealert -a /var/log/audit/audit.log -b > audit.txt in permissive mode

Description of problem:
On stop, dnssec-trigger determines if systemd is running on the system by checking /sys/fs/cgroup/systemd and then restarts NetworkManager using systemctl.

SELinux seems to forbid these two actions:

type=AVC msg=audit(1436800269.309:2684): avc:  denied  { execute_no_trans } for  pid=19480 comm="dnssec-trigger-" path="/usr/bin/systemctl" dev="dm-1" ino=5375025 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1

and 

type=AVC msg=audit(1436800269.308:2681): avc:  denied  { getattr } for  pid=19435 comm="dnssec-trigger-" path="/sys/fs/cgroup/systemd" dev="cgroup" ino=1 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-128.4.fc22.noarch

How reproducible:
always

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
see the attached audit.txt

Comment 1 Tomáš Hozza 2015-07-15 13:12:12 UTC
This is not needed any more, since we changed the implementation to Bug #1242578


Note You need to log in before you can comment on or make changes to this bug.