Related to this issue. After over a month of rumination, I’ve got back to this topic, and advanced a bit further.
I’m trying to set up a system based on AlmaLinux 9.2, to use SELinux and NetworkManager, with a read-only rootfs. For various reasons, I want to keep my ‘keyfiles’ on a separate partition. I have added a small config file /etc/NetworkManager/conf.d/20-system-connections.conf
, which contains:
[keyfile]
path=/data/etc/NetworkManager/system-connections/
As long as SELinux is ‘Permissive’ this works very well.
But, as soon as I have SELinux ‘Enforcing’, NetworkManager refuses to read the config file. Looking at journalctl -u NetworkManager | grep 'Read config'
I see that it doesn’t read the ‘extra’ config files from /etc/NetworkManager/conf.d/
:
SELinux Enforcing:
Feb 05 16:34:23 almatest NetworkManager[39809]: <info> [1707147263.6083] Read config: /etc/NetworkManager/NetworkManager.conf (run: 15-carrier-timeout.conf)
(Note - no 20-system-connections.conf
)
SELinux Permissive:
Feb 05 16:40:59 almatest NetworkManager[43518]: <info> [1707147659.1304] Read config: /etc/NetworkManager/NetworkManager.conf (run: 15-carrier-timeout.conf) (etc: 20-system-connections.conf)
(Note - there it is!)
I have set the SELinux context with semanage fcontext -a -e /etc/NetworkManager/NetworkManager.conf /etc/NetworkManager/conf.d/20-system-connections.conf
- and it shows up as a ‘Local fcontext Equivalence’ with semanage fcontext --list
, and
$ ls -lZ /etc/NetworkManager/conf.d/20-system-connections.conf /etc/NetworkManager/NetworkManager.conf
-rw-r--r--. 1 root root system_u:object_r:NetworkManager_etc_rw_t:s0 2291 Feb 5 16:34 /etc/NetworkManager/NetworkManager.conf
-rw-r--r--. 1 root root system_u:object_r:NetworkManager_etc_rw_t:s0 275 Feb 5 15:06 /etc/NetworkManager/conf.d/20-system-connections.conf
This is all based on AlmaLinux 9.2, using NetworkManager-1.42.2-1.el9.x86_64
.
What am I doing wrong?
I have tried adding
[logging]
domains=ALL:TRACE
in the /etc/NetworkManager/NetworkManager.conf
- but it doesn’t add anything interesting.
I’m finding SELinux a highly confusing can of worms - but at the same time rather intriguing.
(Side issue - I was expecting to see any kind of ‘access violation’ in either /var/log/secure
or /var/log/audit/audit.log
- but the former is empty (presumably replaced by systemd-journald - but as what ‘unit’?) and the latter doesn’t seem to contain anything relevant.)