Fedora 40 system cold boot shows 10 selinux errors from NeworkManager on files in /run/NeworkManager. The contents of this directory seem to be created during the boot process. They are owned by root and writeable, but apparently not in the correct selinux context. My attempt to submit a bug to bugzilla failed for some reason. This status has persisted through several of the latest kernels. The connection to the network ethernet and wifi worked.
SELinux is preventing NetworkManager from 'create' accesses on the directory devices.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that NetworkManager should be allowed create access on the devices directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'NetworkManager' --raw | audit2allow -M my-NetworkManager # semodule -X 300 -i my-NetworkManager.pp
Additional Information: Source Context system_u:system_r:NetworkManager_t:s0 Target Context system_u:object_r:init_var_run_t:s0 Target Objects devices [ dir ] Source NetworkManager Source Path NetworkManager Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-40.22-1.fc40.noarch Local Policy RPM selinux-policy-targeted-40.22-1.fc40.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 6.9.4-200.fc40.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Jun 12 13:33:34 UTC 2024 x86_64 Alert Count 21 First Seen 2024-05-28 00:04:33 EDT Last Seen 2024-06-27 10:24:55 EDT Local ID 63afcb5d-e83d-4a9e-8a3a-8d3abdac3b16
Raw Audit Messages type=AVC msg=audit(1719498295.202:132): avc: denied { create } for pid=7409 comm="NetworkManager" name="devices" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=1
Hash: NetworkManager,NetworkManager_t,init_var_run_t,dir,create
SELinux is preventing NetworkManager from open access on the file /run/NetworkManager/conf.d/10-globally-managed-devices.conf.
Plugin: restorecon SELinux denied access requested by NetworkManager. /run/NetworkManager/conf.d/10-globally-managed-devices.conf may be mislabeled. /run/NetworkManager/conf.d/10-globally-managed-devices.conf default SELinux type is NetworkManager_var_run_t, but its current type is init_var_run_t. Changing this file back to the default type may fix your problem. File contexts can be assigned to a file in the following ways. Files created in a directory receive the file context of the parent directory by default. The SELinux policy might override the default label inherited from the parent directory by specifying a process running in context A which creates a file in a directory labeled B will instead create the file with label C. An example of this would be the dhcp client running with the dhcpc_t type and creating a file in the directory /etc. This file would normally receive the etc_t type due to parental inheritance but instead the file is labeled with the net_conf_t type because the SELinux policy specifies this. Users can change the file context on a file using tools such as chcon, or restorecon. This file could have been mislabeled either by user error, or if an normally confined application was run under the wrong domain. However, this might also indicate a bug in SELinux because the file should not have been labeled with this type. If you believe this is a bug, please file a bug report against this package.
SELinux is preventing NetworkManager from 'setattr' accesses on the file lo.nmconnection.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that NetworkManager should be allowed setattr access on the lo.nmconnection file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'NetworkManager' --raw | audit2allow -M my-NetworkManager # semodule -X 300 -i my-NetworkManager.pp
Additional Information: Source Context system_u:system_r:NetworkManager_t:s0 Target Context system_u:object_r:init_var_run_t:s0 Target Objects lo.nmconnection [ file ] Source NetworkManager Source Path NetworkManager Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-40.22-1.fc40.noarch Local Policy RPM selinux-policy-targeted-40.22-1.fc40.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 6.9.4-200.fc40.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Jun 12 13:33:34 UTC 2024 x86_64 Alert Count 40 First Seen 2024-05-28 00:04:36 EDT Last Seen 2024-06-27 10:24:55 EDT Local ID 93e082cc-423c-4a80-96d7-58e62cf9f527
Raw Audit Messages type=AVC msg=audit(1719498295.857:143): avc: denied { setattr } for pid=7409 comm="NetworkManager" name="lo.nmconnection" dev="tmpfs" ino=2901 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=1
Hash: NetworkManager,NetworkManager_t,init_var_run_t,file,setattr