View Issue Details

IDProjectCategoryView StatusLast Update
0012787CentOS-7selinux-policypublic2021-10-05 14:51
ReporterStarsKim Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
OS Version7 
Summary0012787: SELinux is preventing /usr/sbin/NetworkManager from 'unlink' accesses on the file resolv.conf.
DescriptionDescription of problem:
SELinux is preventing /usr/sbin/NetworkManager from 'unlink' accesses on the file resolv.conf.

***** Plugin catchall_labels (83.8 confidence) suggests *******************

If you want to allow NetworkManager to have unlink access on the resolv.conf file
Then 必须更改 resolv.conf 中的标签
# semanage fcontext -a -t FILE_TYPE 'resolv.conf'
其中 FILE_TYPE 为以下内容之一:NetworkManager_etc_rw_t, NetworkManager_tmp_t, NetworkManager_var_lib_t, NetworkManager_var_run_t, dhcpc_state_t, dhcpc_var_run_t, dnsmasq_var_run_t, hostname_etc_t, named_cache_t, net_conf_t, pppd_var_run_t, systemd_passwd_var_run_t。
restorecon -v 'resolv.conf'

***** Plugin catchall (17.1 confidence) suggests **************************

If 确定应默认允许 NetworkManager unlink 访问 resolv.conf file。
Then 应该将这个情况作为 bug 报告。
allow this access for now by executing:
# ausearch -c 'NetworkManager' --raw | audit2allow -M my-NetworkManager
# semodule -i my-NetworkManager.pp

Additional Information:
Source Context system_u:system_r:NetworkManager_t:s0
Target Context unconfined_u:object_r:etc_t:s0
Target Objects resolv.conf [ file ]
Source NetworkManager
Source Path /usr/sbin/NetworkManager
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-102.el7_3.13.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 3.10.0-514.6.1.el7.x86_64 #1 SMP
                              Wed Jan 18 13:06:36 UTC 2017 x86_64 x86_64
Alert Count 4
First Seen 2017-02-06 21:52:05 CST
Last Seen 2017-02-06 21:56:34 CST
Local ID c4122f56-a104-4390-9372-b8d0cfe0a4a4

Raw Audit Messages
type=AVC msg=audit(1486389394.177:199): avc: denied { unlink } for pid=648 comm="NetworkManager" name="resolv.conf" dev="sda3" ino=101769123 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file

Hash: NetworkManager,NetworkManager_t,etc_t,file,unlink

Version-Release number of selected component:
Additional Informationreporter: libreport-
hashmarkername: setroubleshoot
kernel: 3.10.0-514.6.1.el7.x86_64
reproducible: Not sure how to reproduce the problem
type: libreport
TagsNo tags attached.




2021-10-05 14:51

reporter   ~0038655

Another user experienced a similar problem:

Probably occured after switching on VPN.

reporter: libreport-
hashmarkername: setroubleshoot
kernel: 3.10.0-1160.42.2.el7.x86_64
package: selinux-policy-3.13.1-268.el7_9.2.noarch
reason: SELinux is preventing /usr/sbin/NetworkManager from 'unlink' accesses on the soubor /etc/resolv.conf.
reproducible: Not sure how to reproduce the problem
type: libreport

Issue History

Date Modified Username Field Change
2017-02-06 14:05 StarsKim New Issue
2021-10-05 14:51 pkubanek Note Added: 0038655