DNS mystery: NetworkManager vs SELinux

Daniel J Walsh dwalsh at redhat.com
Tue Sep 13 17:28:23 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/13/2011 11:49 AM, D. Hugh Redelmeier wrote:
> Thanks for all your useful replies.
> 
> | From: Joe Zeff <joe at zeff.us>
> 
> | Do you have the SELinux troubleshooter running?
> 
> I don't know.  The new-to-me Gnome 3 desktop is still quite a 
> puzzle. If I have it running, it didn't signal me in a way that I 
> noticed.
> 
> Is it part of the default F15 desktop setup?
> 
> |  If so, you should have | gotten an alert.  For that matter, 
> isn't there something that shows you | a list of any problems you 
> had at boot?  I know that if I boot my laptop | without the 
> Ethernet cable attached I get an warning that it wasn't able | to 
> connect to the net.
> 
> Where would that be?  /var/log/messages had the warning (buried in
>  a lot of other logging, only flagged as a warning, and with no 
> implications spelled out): <warn>  could not commit DNS changes: 
> (0) Could not replace /etc/resolv.conf: permission denied
> 
> It seems to me that the NM "settings" window should have had some 
> kind of warning in it.  It told me that all was well with my wired
>  setting, including the DNS server settings.
> 
> 
> | From: Miroslav Grepl <mgrepl at redhat.com>
> 
> | Could you open a new bug on selinux-policy component and we can 
> discuss | it there.
> 
> I suspect (and will investigate) that this isn't an SELinux policy 
> failure.
> 
> After much thrashing, I've come up with a fairly simple way to 
> duplicate the problem.
> 
> - boot with ethernet cable detached
> 
> - log in to a Gnome desktop
> 
> - in a terminal type the commands: su NetworkManager
> 
> - at this point - the second NM will exit quickly, having detected
>  another NM - the second NM will have created an /etc/resolv.conf 
> with the problematic labeling unconfined_u:object_r:etc_t:s0
> 
> - now we are broken.  This can be demonstrated by plugging in the 
> cable and having /etc/resolv.conf NOT updated.
> 
> Who is to blame?
> 
> - the idiot user for running NetworkManager when it was already 
> running
> 
> - the second NetworkManager for creating the /etc/resolv.conf even 
> though it figured out that it wasn't going to be staying around
> 
> - the second NetworkManager for creating the /etc/resolv.conf with
>  bad labeling.  There may be some SELinux policy issue here.  - 
> NetworkManager's "settings" window for showing all's well when 
> NetworkManager knows or should have known that it isn't.
> 
> So: should I create a bugzilla entry?  For what component(s)?
> 
> 
> | From: Daniel J Walsh <dwalsh at redhat.com>
> 
> | There might have been a bug in the installation that labeled the 
> | /etc/resolv.conf incorrectly,  Now that the label is correct, if
> it | gets mislabeled again we know we have a problem.
> 
> Everything was fine until I ran NetworkManager.  Crazy like a 
> random user.  It seems like the system isn't fool-proof enough.
> 
> |  Running the | setroubleshoot problem would have given you a 
> heads up on how to fix.
> 
> In retrospect, that's clear.
> 
> BTW, in one of my experiments running Xfce, I got the following 
> popup window:
> 
> [Error] GDBus Error: org.freedesktop.PolicyKit1.Error.Failed: An 
> authentication agent already exists for the given subject [OK] 
> That's a bit mysterious.


Well I just tried to run NetworkManager as root and see something
similar, although I also end up with the resolv.conf having bogus data
in it.  I can fix F16 to label this correctly if it happens.  But we
can not fix this in F15.

If setroubleshoot was running you would see a message in
/var/log/messages about selinux preventing some access, you should
also see the setroubleshoot blob down the bottom of the screen and if
you move your mouse to the bottom right hand corner, you should see a
menu appear and have the "CheckEngineLight" logo for setroubleshoot.

yum install setroubleshoot

Will install the package although I thought it was part of the default
desktop.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5vkrcACgkQrlYvE4MpobP/mACdFXyg9heaxoT9R0B/JfL97PlO
7/wAn12BPSYFcjW04ndjsKdig66EapxO
=fLHl
-----END PGP SIGNATURE-----

More information about the users mailing list