DNS mystery: NetworkManager vs SELinux

D. Hugh Redelmeier hugh at mimosa.com
Tue Sep 13 15:49:01 UTC 2011 

Thanks for all your useful replies.

| From: Joe Zeff <joe at zeff.us>

| Do you have the SELinux troubleshooter running?

I don't know.  The new-to-me Gnome 3 desktop is still quite a puzzle.
If I have it running, it didn't signal me in a way that I noticed.

Is it part of the default F15 desktop setup?

|  If so, you should have 
| gotten an alert.  For that matter, isn't there something that shows you 
| a list of any problems you had at boot?  I know that if I boot my laptop 
| without the Ethernet cable attached I get an warning that it wasn't able 
| to connect to the net.

Where would that be?  /var/log/messages had the warning (buried in a
lot of other logging, only flagged as a warning, and with no
implications spelled out):
  <warn>  could not commit DNS changes: (0) Could not replace /etc/resolv.conf: permission denied

It seems to me that the NM "settings" window should have had some kind
of warning in it.  It told me that all was well with my wired setting,
including the DNS server settings.


| From: Miroslav Grepl <mgrepl at redhat.com>

| Could you open a new bug on selinux-policy component and we can discuss 
| it there.

I suspect (and will investigate) that this isn't an SELinux policy
failure.

After much thrashing, I've come up with a fairly simple way to
duplicate the problem.

- boot with ethernet cable detached

- log in to a Gnome desktop

- in a terminal type the commands:
	su
	NetworkManager

- at this point
	- the second NM will exit quickly, having detected another NM
	- the second NM will have created an /etc/resolv.conf
	  with the problematic labeling
		unconfined_u:object_r:etc_t:s0

- now we are broken.  This can be demonstrated by plugging in the
  cable and having /etc/resolv.conf NOT updated.

Who is to blame?

- the idiot user for running NetworkManager when it was already
  running

- the second NetworkManager for creating the /etc/resolv.conf even
  though it figured out that it wasn't going to be staying around

- the second NetworkManager for creating the /etc/resolv.conf with bad
  labeling.  There may be some SELinux policy issue here.
	
- NetworkManager's "settings" window for showing all's well when
  NetworkManager knows or should have known that it isn't.

So: should I create a bugzilla entry?  For what component(s)?


| From: Daniel J Walsh <dwalsh at redhat.com>

| There might have been a bug in the installation that labeled the
| /etc/resolv.conf incorrectly,  Now that the label is correct, if it
| gets mislabeled again we know we have a problem.

Everything was fine until I ran NetworkManager.  Crazy like a random
user.  It seems like the system isn't fool-proof enough.

|  Running the
| setroubleshoot problem would have given you a heads up on how to fix.

In retrospect, that's clear.

BTW, in one of my experiments running Xfce, I got the following popup
window:

	[Error]
	GDBus Error: org.freedesktop.PolicyKit1.Error.Failed: An
	authentication agent already exists for the given subject
					[OK]
That's a bit mysterious.

More information about the users mailing list