Why does NetworkManager ignore config files when SELinux is enabled?

Popup · February 6, 2024, 7:44am

Related to this issue. After over a month of rumination, I’ve got back to this topic, and advanced a bit further.

I’m trying to set up a system based on AlmaLinux 9.2, to use SELinux and NetworkManager, with a read-only rootfs. For various reasons, I want to keep my ‘keyfiles’ on a separate partition. I have added a small config file /etc/NetworkManager/conf.d/20-system-connections.conf, which contains:

[keyfile]
path=/data/etc/NetworkManager/system-connections/

As long as SELinux is ‘Permissive’ this works very well.

But, as soon as I have SELinux ‘Enforcing’, NetworkManager refuses to read the config file. Looking at journalctl -u NetworkManager | grep 'Read config' I see that it doesn’t read the ‘extra’ config files from /etc/NetworkManager/conf.d/ :

SELinux Enforcing:

Feb 05 16:34:23 almatest NetworkManager[39809]: <info>  [1707147263.6083] Read config: /etc/NetworkManager/NetworkManager.conf (run: 15-carrier-timeout.conf)

(Note - no 20-system-connections.conf)

SELinux Permissive:

Feb 05 16:40:59 almatest NetworkManager[43518]: <info>  [1707147659.1304] Read config: /etc/NetworkManager/NetworkManager.conf (run: 15-carrier-timeout.conf) (etc: 20-system-connections.conf)

(Note - there it is!)

I have set the SELinux context with semanage fcontext -a -e /etc/NetworkManager/NetworkManager.conf /etc/NetworkManager/conf.d/20-system-connections.conf - and it shows up as a ‘Local fcontext Equivalence’ with semanage fcontext --list, and

$ ls -lZ /etc/NetworkManager/conf.d/20-system-connections.conf /etc/NetworkManager/NetworkManager.conf
-rw-r--r--. 1 root root system_u:object_r:NetworkManager_etc_rw_t:s0 2291 Feb  5 16:34 /etc/NetworkManager/NetworkManager.conf
-rw-r--r--. 1 root root system_u:object_r:NetworkManager_etc_rw_t:s0  275 Feb  5 15:06 /etc/NetworkManager/conf.d/20-system-connections.conf

This is all based on AlmaLinux 9.2, using NetworkManager-1.42.2-1.el9.x86_64.

What am I doing wrong?

I have tried adding

[logging]
domains=ALL:TRACE

in the /etc/NetworkManager/NetworkManager.conf - but it doesn’t add anything interesting.

I’m finding SELinux a highly confusing can of worms - but at the same time rather intriguing.

(Side issue - I was expecting to see any kind of ‘access violation’ in either /var/log/secure or /var/log/audit/audit.log - but the former is empty (presumably replaced by systemd-journald - but as what ‘unit’?) and the latter doesn’t seem to contain anything relevant.)

jlehtone · February 6, 2024, 1:27pm

SELinux has rules to filter out – to not log – some messages. You can disable them to get more:

The journalctl shows all logs if you don’t limit it to specific unit. (It shows with pager – less – so one could search, or grep the output. If you have a word to look for.)

The systemd-journald keeps logs in memory, unless told to write them to files too. Whether in RAM or files, the journalctl is the tool to read.

If rsyslog is installed, then it will write to the “old format”, to /var/log/ files. (IIRC, it now gets data from systemd-journald.)
Early version of CentOS/Alma 8 did not install rsyslog in “Minimal environment”. These days it does get installed.

Popup · February 6, 2024, 2:34pm

Thanks - I’ll look into the dontaudit rules. The whole SELinux configuration is quite counterintuitive, but I’ll get there…

For the journald logs, I’m getting swamped with some debug logs from another project, but I’m trying to filter it out. Maybe I have a dontaudit that stops me from seeing something?

Is there no simple replacement for /var/log/secure?

vwbusguy · February 7, 2024, 4:06am

It gets logged in journald now, so journalctl.

Popup · February 7, 2024, 7:11am

That’s part of my problem. As what ‘unit’ does it get logged? I do a journalctl -u NetworkManager --follow and don’t see anything untoward.

(Even if I don’t filter out anything - a basic journalctl --follow, I don’t see anything odd.)

Popup · February 7, 2024, 7:13am

Blockquote[quote=“vwbusguy, post:4, topic:3559, full:true”]
It gets logged in journald now, so journalctl.

Actually - it looks like journalctl --facility=authpriv is pretty much the same as good old /var/log/secure (but with prettier presentation).

jlehtone · February 7, 2024, 9:43am

The /etc/rsyslog.conf has (among other things):

module(load="imuxsock" 	  # provides support for local system logging (e.g. via logger command)
       SysSock.Use="off") # Turn off message reception via local log socket; 
						  # local messages are retrieved through imjournal now.
module(load="imjournal"   # provides access to the systemd journal
       UsePid="system"	  # PID nummber is retrieved as the ID of the process the journal entry originates from
       StateFile="imjournal.state") # File to store the position in the journal

So it looks like rsyslogd does actually read data from journald.
Naturally, the rules choose where rsyslogd writes to:

*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 :omusrmsg:*
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log

Some facilities – one attribute in syslog messages – are there too.
Yes, --facility=authpriv is same filter as rsyslogd uses to choose what to write to /var/log/secure

Popup · February 7, 2024, 2:14pm

Thanks for the help!

The most important hint was 'SELinux marks some rules as “dontaudit” '. It turns out that it’s possible to temporarily disable the ‘dontaudit’, with semanage --build --disable_dontaudit. Then the violations appear in /var/log/auditd/audit.log - and it’s possible to use audit2allow to make a rule to accept it.