Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-140113

AVC error when running NetworkManager --print-config via a systemd service

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • rhel-10.2
    • NetworkManager
    • None
    • None
    • None
    • rhel-net-mgmt
    • 1
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • Hide

      Definition of Done:

      Please mark each item below with ( / ) if completed or ( x ) if incomplete:

      ( ) The acceptance criteria defined below are met.

      Given NetworkManager is invoked with --print-config in a systemd service context, 

      When the command executes and exits, 

      Then no D-Bus cache directories are created and no SELinux AVC denials related to cache directory access occur.

      ( ) Integration test case is available upstream.

      ( ) Code is reviewed and merged upstream.

      ( ) Preliminary testing is done.

      ( ) Upstream documentation is written in the upstream MR.

      ( ) Release notes text is written in the RHEL issue.

      ( ) A demo is recorded

      Show
      Definition of Done: Please mark each item below with ( / ) if completed or ( x ) if incomplete: ( ) The acceptance criteria defined below are met. Given NetworkManager is invoked with --print-config in a systemd service context,  When the command executes and exits,  Then no D-Bus cache directories are created and no SELinux AVC denials related to cache directory access occur. ( ) Integration test case is available upstream. ( ) Code is reviewed and merged upstream. ( ) Preliminary testing is done. ( ) Upstream documentation is written in the upstream MR. ( ) Release notes text is written in the RHEL issue. ( ) A demo is recorded
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      For network dump target, the following SELinux error is shown when kdump.service is restarted

      type=AVC msg=audit(1749464303.87:68): avc: denied

Unknown macro: { write }
for pid=4840 comm="NetworkManager" name="root" dev="dm-0" ino=184549504 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir permissive=0

      What is the impact of this issue to you?

      The seemingly harmless SELinux denial message will increase customer calls.

      Please provide the package NVR for which the bug is seen:

      NetworkManager-1.55.90-1.el10.x86_64

      How reproducible is this bug?:

      always

      Steps to reproduce

      1. dnf install gvfs-client -yq 
      2.  systemctl restart test-nm.service 
        # cat /etc/systemd/system/test-nm.service
[Unit]
Description=Test NM

[Service]
Type=oneshot
ExecStart=NetworkManager --print-config
      1.  ausearch -m avc -c NetworkManager

      Expected results

      No SELinux error.

      Actual results

      A SELinux error is shown

      Notes

      For kdump.service to reproduce the error, /root/.cache somehow has to be deleted before.

              nm-team Network Management Team
              coxu@redhat.com Coiby Xu
              Network Management Team Network Management Team
              Vladimir Benes Vladimir Benes
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: