AVCs on bringing up a network device via hotplug.
Russell Coker
russell at coker.com.au
Sat Mar 13 05:39:59 UTC 2004
On Fri, 12 Mar 2004 02:38, Aleksey Nogin <aleksey at nogin.org> wrote:
> audit(1079019200.094:0): avc: denied { net_admin } for pid=18206
> exe=/sbin/nameif capability=12 scontext=system_u:system_r:hotplug_t
> tcontext=system_u:system_r:hotplug_t tclass=capability
What happens if you give /sbin/nameif the type ifconfig_exec_t?
> audit(1079019200.519:0): avc: denied { getattr } for pid=18144
> exe=/bin/bash path=/etc/dhclient.conf dev=hda2 ino=231943
> scontext=system_u:system_r:hotplug_t
> tcontext=system_u:object_r:dhcp_etc_t tclass=file
> audit(1079019200.521:0): avc: denied { write } for pid=18221
> exe=/bin/bash name=etc dev=hda2 ino=228929
> scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:etc_t
> tclass=dir
> audit(1079019200.521:0): avc: denied { add_name } for pid=18221
> exe=/bin/bash name=dhclient-wvlan0.conf.ifupnew
> scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:etc_t
> tclass=dir
> audit(1079019200.521:0): avc: denied { create } for pid=18221
> exe=/bin/bash name=dhclient-wvlan0.conf.ifupnew
> scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:etc_t
> tclass=file
It looks like it's replacing the dhclient.conf file. We don't want to give
hotplug write access to etc_t (/etc/passwd), we could do the following:
file_type_auto_trans(hotplug_t, etc_t, dhcp_etc_t, { file lnk_file })
But then we might have the same problem with hotplug wanting to write some
other type of file.
Could we use a /etc/dhcpc/ directory?
> audit(1079019200.778:0): avc: denied { dac_override } for pid=18241
> exe=/bin/bash capability=1 scontext=system_u:system_r:dhcpc_t
> tcontext=system_u:system_r:dhcpc_t tclass=capability
> audit(1079019203.873:0): avc: denied { fsetid } for pid=18339
> exe=/bin/chmod capability=4 scontext=system_u:system_r:dhcpc_t
> tcontext=system_u:system_r:dhcpc_t tclass=capability
I've already added dac_override to my tree, I'm still cnsidering fsetid (see
my message in the other thread).
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the fedora-selinux-list
mailing list