Wow! I just upgraded to f38 from f37, and I’m getting hundreds of selinux-related audit reports.
The vast majority of them are coming from read requests by ‘systemd-resolved’ for the file /etc/resolv.conf, although some of them are from vpn-related command requests to that same file.
I following the advice in the system-update documentation on cleaning up after the dnf system-update reboot and executed sudo fixfiles -B onboot and re-booted. That did not fix things with selinux for me.
Thanks so much for your quick response to my question! Unfortunately, I’m still in the same state after running your recommended command. It did relabel on re-boot, then automagically rebooted.
My notifications are strobing, faster than a blink of an eye, hundreds of times, with SELinux security alerts on this. Here’s a typical one:
Source Context system_u:system_r:systemd_resolved_t:s0
Target Context system_u:object_r:NetworkManager_etc_rw_t:s0
Target Objects /etc/resolv.conf [ lnk_file ]
Source systemd-resolve
Source Path /usr/lib/systemd/systemd-resolved
Port <Unknown>
Host jrredho-lt3
Source RPM Packages systemd-resolved-253.2-1.fc38.x86_64
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-38.11-1.fc38.noarch
Local Policy RPM selinux-policy-targeted-38.11-1.fc38.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name jrredho-lt3
Platform Linux jrredho-lt3 6.2.12-300.fc38.x86_64 #1 SMP
PREEMPT_DYNAMIC Thu Apr 20 23:05:25 UTC 2023
x86_64
Alert Count 49
First Seen 2023-04-27 21:27:28 MDT
Last Seen 2023-04-27 21:27:44 MDT
It makes sense since the source and target contexts are in disagreement. It is very disquieting.
Thanks to you, too, Vladislav, for your suggestion!
Still no love from my laptop, though. I had no idea before this just how often DNS queries are made!
The results from both the journalctl and ls commands are consistent with what I listed in the snippet I copied in my OP, although, there is an inconsistency between the symbolic link’s permissions:
But I’m getting strobed with notifications to the point where I feel like I’m risking getting hypnotized by them. Hypnotized or not, I’m definitely confused.
Hey Villy, thanks for this suggestion! And, yep, it did work.
I do have the continual problem that upon reboot, this link gets recreated with the original context that I showed earlier. I’m using Mullvad VPN application, which might be the culprit. I’ll work to track that down from here…
Thanks again, everyone, for your kind attention to my little issue!
This is telling me that before the systemd-resolved service is started, NetworkManager has already removed, then relinked /etc/resolv.conf to /run/systemd/resolve/stub-resolv.conf. When it does this relinking the link is given SELinux context system_u:object_r:NetworkManager_etc_rw_t:s0.
I believe that the above is the root of all of my troubles. Can anyone suggest how I might take this further towards a resolution?
My apologies for this long winded thread for which the OP is a naive actor, to say the least. Now I finally think I have this sorted out.
I re-booted my machine, then did the remove and re-symbolic link thing suggested above.
Then I did the following:
When I re-checked my the context for /etc/resolv.conf, it was back to
I think that this means there is an SELinux context for /etc/resolv.conf that is incorrectly defined in the current policy. Is there a way for me to correct this manually on my system?
It is more a question of what customizations has been done in the past. Or if Mullvad has installed some SELinux rules incompatible with Fedoras SELinux configurations. This will be hard to diagnose remotely; it all depends on the history of the system all the way back to the first installation.
I don’t doubt this for a second! It does seem odd to me that the context for /etc/resolv.conf is identical to that of the directory /etc/NetworkManager.
For the time being, I have a support question in with Mullvad on this. I will report back if I learn more.
One test to confirm if Mullvad is the cause would be to disable Mullvad, reset the link as you have done previously so it works, then reboot. See if the context remains proper.
Then enable Mullvad and see if the context changes.
This is just one possible way to confirm that Mullvad may be the cause of the problem.
So it seems that the match in the file_contexts regexp is being overridden by the explicit match in file_contexts.local, or that the fact it’s in that latter file is the reason regardless of it being an explicit match. Maybe one of my other VPN applications has created this situation. (Confession: I also had ProtonVPN installed for the first round of dnf system-upgrade...; I removed it prior to the second round with --setopt=keepcache=1.)
If I catfilecontexts.local, I see the following:
# This file is auto-generated by libsemanage
# Do not edit directly.
/usr/lib/chromium-browser system_u:object_r:bin_t:s0
/usr/lib/chromium-browser/chromium-browser.sh system_u:object_r:bin_t:s0
/usr/lib/chrome-sandbox system_u:object_r:chrome_sandbox_exec_t:s0
/var/cache/Canon/CUPS_SFPR system_u:object_r:cupsd_var_run_t:s0
/etc/resolv.conf system_u:object_r:NetworkManager_etc_rw_t:s0
However I got to this point is a complete mystery.
Okay, on to the next mystery in my little epic…
I’m a little confused by this one. Would this not change the context to what I already have in file_contexts.local? Is there a way to remove this latter entry all together?
That is exactly what is happening, and what I suspected was the case. file_contexts.local is your local modifications of the SELinux rules and will override the Fedora provided rules. You should be able to use the system-config-selinux tool to remove that entry and that should solve your problem.
Thanks so much to you both for all of the help. This was far, far more educational than just merely fixing this crazy situation that I’ve managed to get myself into.
