After update to Fedora 36 I have a selinux problem with my personal NetworkManager dispatcher script
Into logs I get this error:
mag 17 12:56:30 dodo.home.solinos.it audit[160270]: AVC avc: denied { getattr } for pid=160270 comm="nm-dispatcher" path="/etc/NetworkManager/dispatcher.d/15-vpn-disp" dev="dm-1" ino=33588281 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:NetworkManager_exec_t:s0 tclass=file permissive=0
But if I try set SElinux permission I get this error:
[lesca@dodo Network]$ sudo chcon system_u:system_r:NetworkManager_dispatcher_t:s0 /etc/NetworkManager/dispatcher.d/15-vpn-disp chcon: failed to change context of '/etc/NetworkManager/dispatcher.d/15-vpn-disp' to 'system_u:system_r:NetworkManager_dispatcher_t:s0': Permission denied
How to I can enable my dispatcher script execution?
Many thanks
On Tue, May 17, 2022 at 1:07 PM Dario Lesca d.lesca@solinos.it wrote:
After update to Fedora 36 I have a selinux problem with my personal NetworkManager dispatcher script
Into logs I get this error:
mag 17 12:56:30 dodo.home.solinos.it audit[160270]: AVC avc: denied { getattr } for pid=160270 comm="nm-dispatcher" path="/etc/NetworkManager/dispatcher.d/15-vpn-disp" dev="dm-1" ino=33588281 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:NetworkManager_exec_t:s0 tclass=file permissive=0
But if I try set SElinux permission I get this error:
[lesca@dodo Network]$ sudo chcon system_u:system_r:NetworkManager_dispatcher_t:s0 /etc/NetworkManager/dispatcher.d/15-vpn-disp chcon: failed to change context of '/etc/NetworkManager/dispatcher.d/15-vpn-disp' to 'system_u:system_r:NetworkManager_dispatcher_t:s0': Permission denied
How to I can enable my dispatcher script execution?
Hi,
If the /etc/NetworkManager/dispatcher.d/15-vpn-disp file is not a part of any package, the following command should set the correct label:
# restorecon -v /etc/NetworkManager/dispatcher.d/15-vpn-disp
but that still may not be sufficient to make the plugin working which depends on resources it requires. This problem will be generally addressed soon.
Many thanks
-- Dario Lesca (inviato dal mio Linux Fedora 36 Workstation)
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Il giorno mar, 17/05/2022 alle 19.42 +0200, Zdenek Pytela ha scritto:
If the /etc/NetworkManager/dispatcher.d/15-vpn-disp file is not a part of any package, the following command should set the correct label:
# restorecon -v /etc/NetworkManager/dispatcher.d/15-vpn-disp
but that still may not be sufficient to make the plugin working which depends on resources it requires. This problem will be generally addressed soon.
Thank Zdenek
I have run the suggested command (with sudo) but none is change
mag 18 01:44:02 dodo.home.solinos.it audit[209723]: AVC avc: denied { execute } for pid=209723 comm="15-vpn-disp" name="ip" dev="dm-1" ino=372493 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=0 mag 18 01:44:02 dodo.home.solinos.it audit[209723]: AVC avc: denied { getattr } for pid=209723 comm="15-vpn-disp" path="/usr/sbin/ip" dev="dm-1" ino=372493 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=0 mag 18 01:44:02 dodo.home.solinos.it audit[209723]: AVC avc: denied { getattr } for pid=209723 comm="15-vpn-disp" path="/usr/sbin/ip" dev="dm-1" ino=372493 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=0 mag 18 01:44:02 dodo.home.solinos.it nm-dispatcher[209723]: /etc/NetworkManager/dispatcher.d/15-vpn-disp: line 8: /sbin/ip: Permission denied
The 15-vpn-disp script try to add some other routes with /sbin/ip and add some search strings to DNS with resolvectl, but it fail.
There is some other work around ? (instead "sudo setenforce Permissive") ?
Many thanks
Dario
On Wed, May 18, 2022 at 1:56 AM Dario Lesca d.lesca@solinos.it wrote:
Il giorno mar, 17/05/2022 alle 19.42 +0200, Zdenek Pytela ha scritto:
If the /etc/NetworkManager/dispatcher.d/15-vpn-disp file is not a part of any package, the following command should set the correct label:
# restorecon -v /etc/NetworkManager/dispatcher.d/15-vpn-disp
but that still may not be sufficient to make the plugin working which depends on resources it requires. This problem will be generally addressed soon.
Thank Zdenek
I have run the suggested command (with sudo) but none is change
mag 18 01:44:02 dodo.home.solinos.it audit[209723]: AVC avc: denied { execute } for pid=209723 comm="15-vpn-disp" name="ip" dev="dm-1" ino=372493 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=0 mag 18 01:44:02 dodo.home.solinos.it audit[209723]: AVC avc: denied { getattr } for pid=209723 comm="15-vpn-disp" path="/usr/sbin/ip" dev="dm-1" ino=372493 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=0 mag 18 01:44:02 dodo.home.solinos.it audit[209723]: AVC avc: denied { getattr } for pid=209723 comm="15-vpn-disp" path="/usr/sbin/ip" dev="dm-1" ino=372493 scontext=system_u:system_r:NetworkManager_dispatcher_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=0 mag 18 01:44:02 dodo.home.solinos.it nm-dispatcher[209723]: /etc/NetworkManager/dispatcher.d/15-vpn-disp: line 8: /sbin/ip: Permission denied
The 15-vpn-disp script try to add some other routes with /sbin/ip and add some search strings to DNS with resolvectl, but it fail.
There is some other work around ? (instead "sudo setenforce Permissive") ?
You can make just one domain a permissive one:
sudo semanage permissive -a NetworkManager_dispatcher_t
Many thanks
Dario _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Il giorno mer, 18/05/2022 alle 09.00 +0200, Zdenek Pytela ha scritto:
You can make just one domain a permissive one:
sudo semanage permissive -a NetworkManager_dispatcher_t
Ok, this resolve my problem. Is this modify permanent at boot or I must repeat every restart?
Another question:
Is this a SElinux or Network-Manager bug? I must fill a bugzilla or not?
Thanks Dario
On Thu, 19 May 2022 11:06:00 +0200 Dario Lesca d.lesca@solinos.it wrote:
Il giorno mer, 18/05/2022 alle 09.00 +0200, Zdenek Pytela ha scritto:
You can make just one domain a permissive one:
sudo semanage permissive -a NetworkManager_dispatcher_t
Ok, this resolve my problem. Is this modify permanent at boot or I must repeat every restart?
The man page for selinux-permissive isn't clear to me on this question. But the fact it is creating a permissive module suggests that it will survive both reboots and selinux updates. Probably not an selinux relabel. You should probably check occasionally if the issue has been resolved, by deleting the permissive module. You can always recreate it if it isn't fixed.
Another question:
Is this a SElinux or Network-Manager bug? I must fill a bugzilla or not?
File a bug for selinux. If it isn't theirs, they will forward it to NetworkManager. You should include the above command you used to work around the issue.
Il giorno gio, 19/05/2022 alle 07.37 -0700, stan via users ha scritto:
File a bug for selinux. If it isn't theirs, they will forward it to NetworkManager. You should include the above command you used to work around the issue.
I have fill this bug: https://bugzilla.redhat.com/show_bug.cgi?id=2088944
Many thanks Dario
On Thu, May 19, 2022 at 11:27 AM Dario Lesca d.lesca@solinos.it wrote:
Il giorno mer, 18/05/2022 alle 09.00 +0200, Zdenek Pytela ha scritto:
You can make just one domain a permissive one:
sudo semanage permissive -a NetworkManager_dispatcher_t
Ok, this resolve my problem. Is this modify permanent at boot or I must repeat every restart?
It persists reboot. To undo, execute: sudo semanage permissive -d NetworkManager_dispatcher_t
Another question:
Is this a SElinux or Network-Manager bug? I must fill a bugzilla or not?
Generally speaking, it is recommended to open a bz for any problem. In this case it should be resolved with the next selinux-policy build.
Thanks Dario _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
-
Dario Lesca -
stan -
Zdenek Pytela