Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-77157

NetworkManager crashes in imagemode with selinux enforcing

XMLWordPrintable

    • NetworkManager-1.52.0-1.el10_0
    • No
    • Important
    • 1
    • rhel-sst-network-management
    • ssg_networking
    • 28
    • 3
    • False
    • Hide

      None

      Show
      None
    • None
    • NMT SST - 2025Q1
    • Approved Exception
    • Hide

      Given a RHEL 10 system running NetworkManager in image mode with SELinux enforcing, 

      When, the system boots and NetworkManager attempts to manage .nmconnection files,

      Then, NetworkManager must not crash due to SELinux permission denials.

      Definition of Done:

      • SELinux AVC denials no longer cause NetworkManager to crash in Image mode.
      • The correct SELinux policy changes if needed are identified and implemented in RHEL 10
      Show
      Given a RHEL 10 system running NetworkManager in image mode with SELinux enforcing,  When, the system boots and NetworkManager attempts to manage .nmconnection files, Then, NetworkManager must not crash due to SELinux permission denials. Definition of Done: SELinux AVC denials no longer cause NetworkManager to crash in Image mode. The correct SELinux policy changes if needed are identified and implemented in RHEL 10
    • Pass
    • None
    • x86_64
    • None

      What were you trying to do that didn't work?

      Doing NM-ci envsetup in image mode, NetworkManager crashes with enforcing, no crash with permissive selinux.

      Please provide the package NVR for which the bug is seen:

      NetworkManager-1.51.6-1.el10.x86_64

      How reproducible is this bug?:

      always

      Steps to reproduce

      1. create RHEL10 qcow2 in image mode with NM-ci setup done
      2. boot qcow2
      3. ./test_runs.sh pass

      Expected results

      test should pass with selinux enforcing

      Actual results

      Test passes with selinux permissive, with enforcing NetworkManager crashes and connectivity to VM is broken (eth0 connection is deleted and not restored).

      AVCs seen:

       

      [root@localhost NM-ci]# journalctl -b 0 | grep NetworkManager | grep avc | grep denied
Jan 31 11:54:22 localhost.localdomain kernel: audit: type=1400 audit(1738324462.938:9): avc:  denied  { unlink } for  pid=3218 comm="NetworkManager" name="testeth0.nmconnection" dev="sda4" ino=854432 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0
Jan 31 11:54:29 localhost.localdomain kernel: audit: type=1400 audit(1738324469.209:10): avc:  denied  { unlink } for  pid=3716 comm="NetworkManager" name="testeth0.nmconnection" dev="sda4" ino=854432 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0
Jan 31 11:54:29 localhost.localdomain kernel: audit: type=1400 audit(1738324469.209:11): avc:  denied  { create } for  pid=3716 comm="NetworkManager" name="d8882c1b-2c2f-4463-953f-39e34fa5c078.nmmeta~" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=0
Jan 31 11:54:29 localhost.localdomain kernel: audit: type=1400 audit(1738324469.209:12): avc:  denied  { create } for  pid=3716 comm="NetworkManager" name="d8882c1b-2c2f-4463-953f-39e34fa5c078.nmmeta~" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=lnk_file permissive=0
Jan 31 12:00:30 localhost.localdomain kernel: audit: type=1400 audit(1738324830.792:13): avc:  denied  { unlink } for  pid=5212 comm="NetworkManager" name="testeth0.nmconnection" dev="sda4" ino=854433 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0
Jan 31 12:00:36 localhost.localdomain kernel: audit: type=1400 audit(1738324836.892:14): avc:  denied  { unlink } for  pid=5792 comm="NetworkManager" name="testeth0.nmconnection" dev="sda4" ino=854433 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0
Jan 31 12:00:36 localhost.localdomain kernel: audit: type=1400 audit(1738324836.892:15): avc:  denied  { create } for  pid=5792 comm="NetworkManager" name="d8882c1b-2c2f-4463-953f-39e34fa5c078.nmmeta~" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=0
Jan 31 12:00:36 localhost.localdomain kernel: audit: type=1400 audit(1738324836.892:16): avc:  denied  { create } for  pid=5792 comm="NetworkManager" name="d8882c1b-2c2f-4463-953f-39e34fa5c078.nmmeta~" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=lnk_file permissive=0
Jan 31 12:03:48 localhost.localdomain kernel: audit: type=1400 audit(1738325028.765:17): avc:  denied  { unlink } for  pid=7058 comm="NetworkManager" name="testeth0.nmconnection" dev="sda4" ino=854432 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0
Jan 31 12:03:55 localhost.localdomain kernel: audit: type=1400 audit(1738325035.118:18): avc:  denied  { unlink } for  pid=7560 comm="NetworkManager" name="testeth0.nmconnection" dev="sda4" ino=854432 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0
Jan 31 12:03:55 localhost.localdomain kernel: audit: type=1400 audit(1738325035.119:19): avc:  denied  { create } for  pid=7560 comm="NetworkManager" name="d8882c1b-2c2f-4463-953f-39e34fa5c078.nmmeta~" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=0
Jan 31 12:03:55 localhost.localdomain kernel: audit: type=1400 audit(1738325035.119:20): avc:  denied  { create } for  pid=7560 comm="NetworkManager" name="d8882c1b-2c2f-4463-953f-39e34fa5c078.nmmeta~" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=lnk_file permissive=0
Jan 31 12:04:35 localhost.localdomain kernel: audit: type=1400 audit(1738325075.286:22): avc:  denied  { unlink } for  pid=8252 comm="NetworkManager" name="testeth0.nmconnection" dev="sda4" ino=854432 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=1

      Crash coredump:

      [root@localhost NM-ci]# coredumpctl info 
           PID: 7058 (NetworkManager)
           UID: 0 (root)
           GID: 0 (root)
        Signal: 5 (TRAP)
     Timestamp: Fri 2025-01-31 12:03:48 UTC (9min ago)
  Command Line: /usr/sbin/NetworkManager --no-daemon
    Executable: /usr/sbin/NetworkManager
 Control Group: /system.slice/NetworkManager.service
          Unit: NetworkManager.service
         Slice: system.slice
       Boot ID: eff2292d66d54b8fa90c5e55bbc710ac
    Machine ID: 5416f18771fd48d789e63ca2d9048d82
      Hostname: localhost.localdomain
       Storage: /var/lib/systemd/coredump/core.NetworkManager.0.eff2292d66d54b8fa90c5e55bbc710ac.7058.1738325028000000.zst (present)
  Size on Disk: 623.6K
       Message: Process 7058 (NetworkManager) of user 0 dumped core.
                
                Module libmm-glib.so.0 from rpm ModemManager-1.22.0-7.el10.x86_64
                Module libnm-wwan.so from rpm NetworkManager-1.51.6-1.el10.x86_64
                Module libnm-device-plugin-wwan.so from rpm NetworkManager-1.51.6-1.el10.x86_64
                Module libnm-device-plugin-wifi.so from rpm NetworkManager-1.51.6-1.el10.x86_64
                Module libjansson.so.4 from rpm jansson-2.14-3.el10.x86_64
                Module libnm-device-plugin-ovs.so from rpm NetworkManager-1.51.6-1.el10.x86_64
                Module libcrypt.so.2 from rpm libxcrypt-4.4.36-10.el10.x86_64
                Module libbrotlicommon.so.1 from rpm brotli-1.1.0-6.el10.x86_64
                Module libsasl2.so.3 from rpm cyrus-sasl-2.1.28-27.el10.x86_64
                Module libevent-2.1.so.7 from rpm libevent-2.1.12-16.el10.x86_64
                Module libkeyutils.so.1 from rpm keyutils-1.6.3-5.el10.x86_64
                Module libkrb5support.so.0 from rpm krb5-1.21.3-5.el10.x86_64
                Module libcom_err.so.2 from rpm e2fsprogs-1.47.1-3.el10.x86_64
                Module libk5crypto.so.3 from rpm krb5-1.21.3-5.el10.x86_64
                Module libkrb5.so.3 from rpm krb5-1.21.3-5.el10.x86_64
                Module libblkid.so.1 from rpm util-linux-2.40.2-5.el10.x86_64
                Module libtasn1.so.6 from rpm libtasn1-4.19.0-9.el10.x86_64
                Module libunistring.so.5 from rpm libunistring-1.1-10.el10.x86_64
                Module libp11-kit.so.0 from rpm p11-kit-0.25.5-7.el10.x86_64
                Module libcap-ng.so.0 from rpm libcap-ng-0.8.4-6.el10.x86_64
                Module libbrotlidec.so.1 from rpm brotli-1.1.0-6.el10.x86_64
                Module libgssapi_krb5.so.2 from rpm krb5-1.21.3-5.el10.x86_64
                Module libcrypto.so.3 from rpm openssl-3.2.2-15.el10.x86_64
                Module libssl.so.3 from rpm openssl-3.2.2-15.el10.x86_64
                Module libpsl.so.5 from rpm libpsl-0.21.5-6.el10.x86_64
                Module libssh.so.4 from rpm libssh-0.11.1-1.el10.x86_64
                Module libidn2.so.0 from rpm libidn2-2.3.7-3.el10.x86_64
                Module libnghttp2.so.14 from rpm nghttp2-1.64.0-1.el10.x86_64
                Module libcap.so.2 from rpm libcap-2.69-7.el10.x86_64
                Module libpcre2-8.so.0 from rpm pcre2-10.44-1.el10.3.x86_64
                Module libffi.so.8 from rpm libffi-3.4.4-9.el10.x86_64
                Module libmount.so.1 from rpm util-linux-2.40.2-5.el10.x86_64
                Module libz.so.1 from rpm zlib-ng-2.2.3-1.el10.x86_64
                Module libgnutls.so.30 from rpm gnutls-3.8.8-1.el10.x86_64
                Module libselinux.so.1 from rpm libselinux-3.8-0.rc3.1.el10.x86_64
                Module libaudit.so.1 from rpm audit-4.0.3-1.el10.x86_64
                Module libcurl.so.4 from rpm curl-8.9.1-5.el10.x86_64
                Module libsystemd.so.0 from rpm systemd-257-3.el10.x86_64
                Module libudev.so.1 from rpm systemd-257-3.el10.x86_64
                Module libndp.so.0 from rpm libndp-1.9-2.el10.x86_64
                Module libgmodule-2.0.so.0 from rpm glib2-2.80.4-4.el10.x86_64
                Module libglib-2.0.so.0 from rpm glib2-2.80.4-4.el10.x86_64
                Module libgobject-2.0.so.0 from rpm glib2-2.80.4-4.el10.x86_64
                Module libgio-2.0.so.0 from rpm glib2-2.80.4-4.el10.x86_64
                Stack trace of thread 7058:
                #0  0x00007f9c770d3590 g_logv (libglib-2.0.so.0 + 0x61590)
                #1  0x00007f9c770d37eb g_log (libglib-2.0.so.0 + 0x617eb)
                #2  0x000055eb4a9d4271 n/a (n/a + 0x0)
                #3  0x000055eb4a9d4a0c n/a (n/a + 0x0)
                ELF object binary architecture: AMD x86-64

              rhn-engineering-vbenes Vladimir Benes
              fpokryvk@redhat.com Filip Pokryvka
              Network Management Team Network Management Team
              Vladimir Benes Vladimir Benes
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated: