Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-76966

avc: denied { create } for comm="NetworkManager" name="*.nmmeta~"

XMLWordPrintable

    • rhel-sst-security-selinux
    • ssg_security
    • 2
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • None
    • None
    • None
    • None

      What were you trying to do that didn't work?

      I am setting up CentOS 9 bootc tests for cockpit. Two testshttps://cockpit-logs.us-east-1.linodeobjects.com/pull-21559-045df1ef-20250130-100950-centos-9-bootc-networking/log.html] spotted a minor SELinux problem related to NetworkManager. Right after booting our VM:

      kernel: audit: type=1400 audit(1738238023.471:4): avc:  denied  { create } for  pid=719 comm="NetworkManager" name="4bf68e6e-d2d4-345b-aa95-2259ef3bc196.nmmeta~" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:NetworkManager_etc_rw_t:s0 tclass=lnk_file permissive=0
kernel: audit: type=1400 audit(1738238023.471:5): avc:  denied  { create } for  pid=719 comm="NetworkManager" name="4bf68e6e-d2d4-345b-aa95-2259ef3bc196.nmmeta~" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=lnk_file permissive=0

      It's not really something that the test does. Our VMs install an mcast1.connection into /usr/lib/NetworkManager/system-connections/ . We chose /usr, as that's what you do in bootc images – they either can't or shouldn't change /etc, this should be considered part of the customized OS image.

      However, this only happens when booting two parallel VMs which are actually connected to each other via a QEMU mcast device. When booting just one VM, nothing is connected to that (emulated) ethernet device and no SELinux message appears.

      What is the impact of this issue to you?

      Not much – it doesn't break the test other than the unexpected SELinux message.

      Please provide the package NVR for which the bug is seen:

      NetworkManager-1.51.6-1.el9.x86_64
      selinux-policy-38.1.51-1.el9.noarch

      This was already reported 4 years ago in RHELPLAN-49053 FYI.

      I tried to reproduce this with 

      nmcli con add type dummy con-name fake ifname fake0 ip4 1.2.3.4/24 gw4 1.2.3.1
nmcli con remove fake0

      but that works. I also tried bootc usr-overlay and moved the file from /etc/ to /usr, but that changes the system enough to also not trigger the denial when removing it.

            [RHEL-76966] avc: denied { create } for comm="NetworkManager" name="*.nmmeta~"

              rhn-support-zpytela Zdenek Pytela
              rhn-engineering-mpitt Martin Pitt
              Zdenek Pytela Zdenek Pytela
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: