DNS mystery: NetworkManager vs SELinux

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/13/2011 08:19 AM, Miroslav Grepl wrote:
> On 09/13/2011 06:48 AM, D. Hugh Redelmeier wrote:
>> My netbook has a rather vanilla installation of F15.
>> 
>> I tried a new desktop.  Wireless didn't work (long story, not
>> relevant) so I manually ran network manager (didn't help).  Then
>> I rebooted back to Gnome.
>> 
>> Wired networking seemed to no longer work.  Actually, networking
>> worked but no domain names could be resolved.
>> 
>> After a lot of ineffective poking about (based on my deep
>> understanding of how things worked in the good old days before
>> NM), I discovered (with help) the problem.
>> 
>> NM creates a new /etc/resolv.conf.tmp whenever it learns (through
>> DHCP or whatever) what the name servers are.  On my system, it
>> could not manage to replace /etc/resolv.conf.  /var/log/messages
>> showed: <warn>  could not commit DNS changes: (0) Could not
>> replace /etc/resolv.conf: permission denied
>> 
>> "ls -l /etc/resolv.conf*" showed nothing scary.  But "ls -lZ"
>> did.
>> 
>> Something had labeled /etc/resolv.conf
>> unconfined_u:object_r:etc_t:s0 instead of
>> system_u:object_r:net_conf_t:s0
>> 
>> Fix: "restorecon /etc/resolv.conf"
>> 
>> How the heck is an ordinary user supposed to figure this out?
> Could you open a new bug on selinux-policy component and we can
> discuss it there.
> 
> Regards, Miroslav


There might have been a bug in the installation that labeled the
/etc/resolv.conf incorrectly,  Now that the label is correct, if it
gets mislabeled again we know we have a problem.  Running the
setroubleshoot problem would have given you a heads up on how to fix.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5vXyIACgkQrlYvE4MpobOzkQCfbZ/xTW1lvjYLf5NVogcgSB8W
8pIAoLX/dxydmG3WCSee2KTR3IEXSbxE
=pPPy
-----END PGP SIGNATURE-----