On Tue, Oct 11, 2016, at 06:12 PM, Jason Brooks wrote:
I'm seeing an selinux denial preventing resolv.conf from being
updated:
Oct 11 22:05:46
atomic01.example.org audit[1304]: AVC avc: denied {
write } for pid=1304 comm="dhclient-script" name="NetworkManager"
dev="tmpfs" ino=22077
scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=dir
permissive=0
There's an upstream discussion related to this:
https://mail.gnome.org/archives/networkmanager-list/2016-September/msg000...
Which, if you see my reply, I think his patch is wrong, but the fix
should likely live in NM.
Also, way back in the past...
http://www.spinics.net/linux/fedora/fedora-cloud/msg06264.html
which again seems to have been lost because I didn't commit it to the master
branch =(
Also:
https://bugzilla.redhat.com/show_bug.cgi?id=1204226
But hey, let's make another try at this, and we actually want this to apply on
bare metal too, so:
https://pagure.io/fedora-atomic/pull-request/23
That said...I'm not reproducing this here, /run/NetworkManager/resolv.conf
seems to be correctly labeled net_conf_t here.
Also, this "Warning: NetworkManager.service changed on disk.
Run
'systemctl daemon-reload'" message when I check the status of
NetworkManager.
I suspect systemd needs the same "handle zero mtime" fix
as I did for gnutls.