Loading...

XML

Word

Printable

Type: Story
Resolution: Done-Errata
Priority: Major
Fix Version/s: rhel-9.4
Affects Version/s: None
Component/s: NetworkManager
Labels:

Fixed in Build:
NetworkManager-1.46.0-3.el9_4
Severity:
Major

Pool Team:

sst_network_management
Sub-System Group:

ssg_networking

Story Points:
2
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
NMT - RHEL-9.5 DTM 4
Release Blocker:
Approved Exception

Acceptance Criteria:
Hide

Given the RHEL 9.4 NM package

When looking at the nm-cloud-setup system unit

Then it does not contain PrivateUsers=yes

Given a RHEL 9.4 system

When running the task from the other peoples CI

Then there are no selinux denials.

Definition of Done:

The implementation meets the acceptance criteria

The change is part of RHEL-9.4 NetworkManager downstream build

Scratch build is created and tested there are no more selinux denials
Show
Given the RHEL 9.4 NM package When looking at the nm-cloud-setup system unit Then it does not contain PrivateUsers=yes Given a RHEL 9.4 system When running the task from the other peoples CI Then there are no selinux denials. Definition of Done: The implementation meets the acceptance criteria The change is part of RHEL-9.4 NetworkManager downstream build Scratch build is created and tested there are no more selinux denials
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/120156

Experience:

SFDC Cases Counter:
SFDC Cases Links:

Nm-cloud-setup systemd unit was changed to include PrivateUsers=yes, and this makes the process start in a different user namespace: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/6fb4af730012441adbbc99e87ae137195d7109a5

This change is causing the avc denial described in RHEL-24346 and as this is a blocker for osbuild-composer testing on AWS on RHEL-9.4, we need to remove the PrivateUsers=yes directive in downstream. selinux team will then allow the permission in selinux-policy during RHEL 9.5 development cycle.

relates to

RHEL-24346 SELinux prevents NetworkManager from using the sys_ptrace capability in user namespaces

Release Pending

links to

RHBA-2023:120156 NetworkManager bug fix and enhancement update

Assignee:: Fernando Fernandez Mancera

Reporter:: Stanislas Faye

Developer:: Fernando Fernandez Mancera

QA Contact:: Vladimir Benes

Votes:: 0 Vote for this issue

Watchers:: 10 Start watching this issue

Created:: 2024/02/29 1:21 PM

Updated:: 2024/04/30 10:09 AM

Resolved:: 2024/04/30 10:09 AM

Release Date:: 2024/04/30

Details

Description

Attachments

Issue Links

Activity

People

Dates