nmtui gets a (permission denied) when editing ifcg-eht0

Linode Staff

When I try to configure networking with nmtui, it tells me that it can't write to /etc/sysconfig/network-scripts/ifcfg-eth0 (permission denied). I was actually able to edit /etc/sysconfig/network-scripts/ifcfg-eth0 directly (using vi/vim in this case) but should nmtui not also work?

2 Replies

Linodes that are using CentOS 7 utilize both the NetworkManager daemon, and security enhancer SELinux. SELinux can be somewhat strict on which processes can read/write to files, regardless of if you're running them as the root user. You can see in the audit.log file that NetworkManager is getting blocked by SELinux when trying to edit ifcfg-eth0 using nmtui:

type=AVC msg=audit(1582689710.875:161): avc: denied { write } for pid=2574 comm="NetworkManager" name="ifcfg-eth0" dev="sda" ino=13 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0

The way that SELinux determines what processes are permitted to edit certain files is something called Security Context Labels. Each Label contains a user, a role, a type, and a level:

We can use the process status command with the flags -eZ to determine a processes type in SELinux. Here we can see that the type that NetworkManager uses in SELinux is NetworkManager_t.

ps -eZ | grep NetworkManager
system_u:system_r:NetworkManager_t:s0 2574 ?  00:00:01 NetworkManager

Taking a look at this man page, you’ll see a list of SELinux file label types that NetworkManager_t can manage. Looks like the file /etc/sysconfig/network-scripts/ifcfg-eth0 should have a net_conf_t type. Not sure if it’s an issue caused by Linode Network Helper, but it looks like it isn’t set properly:

ls -lZ /etc/sysconfig/network-scripts/
-rw-r--r--. root root system_u:object_r:unlabeled_t:s0 ifcfg-eth0
-rw-r--r--. root root system_u:object_r:net_conf_t:s0 ifcfg-lo

Take note of the part in the ifcfg-eth0 line that says :unlabeled. This should match with the label for the ifcfg-lo beneath it. This type mismatch is what is causing the file to be unwritable.

We can temporarily fix this by updating the file’s security context type by using the chcon command:

chcon -t net_conf_t /etc/sysconfig/network-scripts/ifcfg-eth0
systemctl restart NetworkManager.service

However, this doesn't update the actual SELinux definitions. If the file ever gets relabeled, it’ll reset to the original value (which we don’t want). To make it permanent, we need to utilize a tool like semanage (this doesn’t come with our CentOS 7 image by default).

yum provides /usr/sbin/semanage shows us the package we need to get that sweet command:

yum provides /usr/sbin/semanage
policycoreutils-python-2.5-33.el7.x86_64 : SELinux policy core python utilities
Repo    : base
Matched from:
Filename  : /usr/sbin/semanage

On my test server, the following commands were able to get them in the right place permanently:

sudo yum install policycoreutils-python -y
semanage fcontext -a -t net_conf_t /etc/sysconfig/network-scripts/ifcfg-eth0
restorecon -R /etc/sysconfig/network-scripts/ifcfg-eth0
systemctl restart NetworkManager.service

TLDR; try using the commands listed above and you should permanently be able to use nmtui to properly configure the eth0 interface! Keep in mind this requires our Network Helper to be turned off, rebooting with Network Helper enabled will revert any changes you made to your eth0 interface and set the type back to :unlabeled. If this happens you'll need to reapply all changes after disabling Network Helper.

This is quite a bit later, but I did want to add that there is a way to do this with a lot less effort if you don't mind forfeiting SElinux altogether and switching from the GRUB2 kernel that the CentOS distributions use by default.

Since this issue is caused by SElinux, our custom Linode kernel (which does not include SElinux) does not have this issue. You can simply change your kernel to the "latest 64-bit" selection and reboot the system, and nmtui will work normally. Keep in mind that if you are making any custom configurations to the network interface, you'll still want to disable Network Helper to avoid your customizations being overwritten on the next reboot.


Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct