Fedora 40 system cold boot shows 10 selinux errors from NeworkManager on
files in /run/NeworkManager. The contents of this directory seem to be
created during the boot process. They are owned by root and writeable,
but apparently not in the correct selinux context. My attempt to submit
a bug to bugzilla failed for some reason. This status has persisted
through several of the latest kernels. The connection to the network
ethernet and wifi worked.
SELinux is preventing NetworkManager from 'create' accesses on the
directory devices.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that NetworkManager should be allowed create access on
the devices directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'NetworkManager' --raw | audit2allow -M my-NetworkManager
# semodule -X 300 -i my-NetworkManager.pp
Additional Information:
Source Context system_u:system_r:NetworkManager_t:s0
Target Context system_u:object_r:init_var_run_t:s0
Target Objects devices [ dir ]
Source NetworkManager
Source Path NetworkManager
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-40.22-1.fc40.noarch
Local Policy RPM selinux-policy-targeted-40.22-1.fc40.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name (removed)
Platform Linux (removed) 6.9.4-200.fc40.x86_64 #1 SMP
PREEMPT_DYNAMIC Wed Jun 12 13:33:34 UTC 2024
x86_64
Alert Count 21
First Seen 2024-05-28 00:04:33 EDT
Last Seen 2024-06-27 10:24:55 EDT
Local ID 63afcb5d-e83d-4a9e-8a3a-8d3abdac3b16
Raw Audit Messages
type=AVC msg=audit(1719498295.202:132): avc: denied { create } for
pid=7409 comm="NetworkManager" name="devices"
scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=1
Hash: NetworkManager,NetworkManager_t,init_var_run_t,dir,create
SELinux is preventing NetworkManager from open access on the file
/run/NetworkManager/conf.d/10-globally-managed-devices.conf.
Plugin: restorecon
SELinux denied access requested by NetworkManager.
/run/NetworkManager/conf.d/10-globally-managed-devices.conf may be
mislabeled.
/run/NetworkManager/conf.d/10-globally-managed-devices.conf default
SELinux type
is NetworkManager_var_run_t, but its current type is init_var_run_t.
Changing
this file back to the default type may fix your problem. File contexts
can be
assigned to a file in the following ways. Files created in a directory
receive
the file context of the parent directory by default. The SELinux policy
might
override the default label inherited from the parent directory by
specifying a
process running in context A which creates a file in a directory labeled
B will
instead create the file with label C. An example of this would be the dhcp
client running with the dhcpc_t type and creating a file in the
directory /etc.
This file would normally receive the etc_t type due to parental
inheritance but
instead the file is labeled with the net_conf_t type because the SELinux
policy
specifies this. Users can change the file context on a file using tools
such as
chcon, or restorecon. This file could have been mislabeled either by user
error, or if an normally confined application was run under the wrong
domain.
However, this might also indicate a bug in SELinux because the file
should not
have been labeled with this type. If you believe this is a bug, please
file a
bug report against this package.
SELinux is preventing NetworkManager from 'setattr' accesses on the file
lo.nmconnection.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that NetworkManager should be allowed setattr access on
the lo.nmconnection file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'NetworkManager' --raw | audit2allow -M my-NetworkManager
# semodule -X 300 -i my-NetworkManager.pp
Additional Information:
Source Context system_u:system_r:NetworkManager_t:s0
Target Context system_u:object_r:init_var_run_t:s0
Target Objects lo.nmconnection [ file ]
Source NetworkManager
Source Path NetworkManager
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-40.22-1.fc40.noarch
Local Policy RPM selinux-policy-targeted-40.22-1.fc40.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name (removed)
Platform Linux (removed) 6.9.4-200.fc40.x86_64 #1 SMP
PREEMPT_DYNAMIC Wed Jun 12 13:33:34 UTC 2024
x86_64
Alert Count 40
First Seen 2024-05-28 00:04:36 EDT
Last Seen 2024-06-27 10:24:55 EDT
Local ID 93e082cc-423c-4a80-96d7-58e62cf9f527
Raw Audit Messages
type=AVC msg=audit(1719498295.857:143): avc: denied { setattr } for
pid=7409 comm="NetworkManager" name="lo.nmconnection" dev="tmpfs"
ino=2901 scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1
Hash: NetworkManager,NetworkManager_t,init_var_run_t,file,setattr
--
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
