AVCs on bringing up a network device via hotplug.
Aleksey Nogin
aleksey at nogin.org
Thu Mar 11 16:33:37 UTC 2004
On 11.03.2004 08:20, Bill Nottingham wrote:
> Perhaps we need a network-init role, used by /etc/init.d/network,
> that hotplug (and others) can transition to?
Yes, this seems like a good idea. "and others" should probably include
at least APM/ACPI (for suspend/resume scripts).
But also note that part of the AVCs comes from the following fragment of
/sbin/ifup:
...
# Remove any temporary references which were previously added to
dhclient config
if [ -w /etc/dhclient-${DEVICE}.conf ] && [ -x /sbin/dhclient ] ; then
LC_ALL=C grep -v "# temporary RHL ifup addition"
/etc/dhclient-${DEVICE}.conf > /etc/dhclient-${DEVICE}.conf.ifupnew 2>
/dev/null
cat /etc/dhclient-${DEVICE}.conf.ifupnew > /etc/dhclient-${DEVICE}.conf
rm -f /etc/dhclient-${DEVICE}.conf.ifupnew
fi
if [ -n "${DYNCONFIG}" ]; then
PUMPARGS=$PUMPARGS
DHCPCDARGS="$DHCPCDARGS -n"
DHCLIENTARGS="${DHCLIENTARGS} -1 -q -lf
/var/lib/dhcp/dhclient-${DEVICE}.leases -pf
/var/run/dhclient-${DEVICE}.pid -cf /etc/dhclient-${DEVICE}.conf"
if [ -n "${DHCP_HOSTNAME}" ]; then
# Send a host-name to the DHCP server (requ. by some dhcp servers).
PUMPARGS="${PUMPARGS} -h ${DHCP_HOSTNAME}"
DHCPCDARGS="${DHCPCDARGS} -h ${DHCP_HOSTNAME}"
if [ -x /sbin/dhclient ] ; then
if [ -w /etc/dhclient-${DEVICE}.conf ] ; then
if ! LC_ALL=C grep "send *host-name *\"${DHCP_HOSTNAME}\""
/etc/dhclient-${DEVICE}.conf > /dev/null 2>&1 ; then
echo "send host-name \"${DHCP_HOSTNAME}\"; # temporary
RHL ifup addition" >> /etc/dhclient-${DEVICE}.conf
fi
elif ! [ -e /etc/dhclient-${DEVICE}.conf ] ; then
echo "send host-name \"${DHCP_HOSTNAME}\"; # temporary
RHL ifup addition" >> /etc/dhclient-${DEVICE}.conf
fi
fi
fi
...
It seems that the least it could do is to check whether a "temporary RHL
ifup addition" line is in fact present in the config _before_ trying to
mess with it. And in general, allowing the ifup script to mess with the
DHCP config does not seem like such a good idea.
--
Aleksey Nogin
Home Page: http://nogin.org/
E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907
More information about the fedora-selinux-list
mailing list