Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-76966

avc: denied { create } for comm="NetworkManager" name="*.nmmeta~"

XMLWordPrintable

    • rhel-sst-security-selinux
    • ssg_security
    • 2
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • None
    • None
    • None
    • None

      What were you trying to do that didn't work?

      I am setting up CentOS 9 bootc tests for cockpit. Two testshttps://cockpit-logs.us-east-1.linodeobjects.com/pull-21559-045df1ef-20250130-100950-centos-9-bootc-networking/log.html] spotted a minor SELinux problem related to NetworkManager. Right after booting our VM:

      kernel: audit: type=1400 audit(1738238023.471:4): avc:  denied  { create } for  pid=719 comm="NetworkManager" name="4bf68e6e-d2d4-345b-aa95-2259ef3bc196.nmmeta~" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:NetworkManager_etc_rw_t:s0 tclass=lnk_file permissive=0
kernel: audit: type=1400 audit(1738238023.471:5): avc:  denied  { create } for  pid=719 comm="NetworkManager" name="4bf68e6e-d2d4-345b-aa95-2259ef3bc196.nmmeta~" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=lnk_file permissive=0

      It's not really something that the test does. Our VMs install an mcast1.connection into /usr/lib/NetworkManager/system-connections/ . We chose /usr, as that's what you do in bootc images – they either can't or shouldn't change /etc, this should be considered part of the customized OS image.

      However, this only happens when booting two parallel VMs which are actually connected to each other via a QEMU mcast device. When booting just one VM, nothing is connected to that (emulated) ethernet device and no SELinux message appears.

      What is the impact of this issue to you?

      Not much – it doesn't break the test other than the unexpected SELinux message.

      Please provide the package NVR for which the bug is seen:

      NetworkManager-1.51.6-1.el9.x86_64
      selinux-policy-38.1.51-1.el9.noarch

      This was already reported 4 years ago in RHELPLAN-49053 FYI.

      I tried to reproduce this with 

      nmcli con add type dummy con-name fake ifname fake0 ip4 1.2.3.4/24 gw4 1.2.3.1
nmcli con remove fake0

      but that works. I also tried bootc usr-overlay and moved the file from /etc/ to /usr, but that changes the system enough to also not trigger the denial when removing it.

            [RHEL-76966] avc: denied { create } for comm="NetworkManager" name="*.nmmeta~"

            Dalibor Pospíšil made changes -
            Epic Link New: SELINUX-3824 [ 16506892 ]
            RHEL Jira bot made changes -
            Status Original: New [ 10016 ] New: Planning [ 13521 ]
            Zdenek Pytela made changes -
            Fix Version/s New: rhel-10.1 [ 12430377 ]
            Story Points New: 2
            Priority Original: Undefined [ 10300 ] New: Normal [ 10200 ]

            Martin Pitt added a comment -

            Note that we don't see this anywhere else, not even on CentOS/RHEL 9 "classic rpm".

            Martin Pitt added a comment - Note that we don't see this anywhere else, not even on CentOS/RHEL 9 "classic rpm".
            RHEL Jira bot made changes -
            Stale Date New: 2026/01/29
            Martin Pitt made changes -
            Summary Original: avc: denied { create } for pid=719 comm="NetworkManager" name="*.nmmeta~" New: avc: denied { create } for comm="NetworkManager" name="*.nmmeta~"
            RHEL Jira bot made changes -
            Sub-System Group New: ssg_security [ 27798 ]
            pme bot made changes -
            Developer New: Zdenek Pytela [ rhn-support-zpytela ]
            Pool Team New: rhel-sst-security-selinux [ 15259 ]
            QA Contact New: SSG Security QE [ qe-baseos-security ]
            Assignee New: Zdenek Pytela [ rhn-support-zpytela ]
            Martin Pitt created issue -

              rhn-support-zpytela Zdenek Pytela
              rhn-engineering-mpitt Martin Pitt
              Zdenek Pytela Zdenek Pytela
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: