temp files & debugging
Steve
zephod at cfl.rr.com
Mon Feb 9 14:22:22 UTC 2009
I am attempting to figure out why my dhclient process sometimes gets the correct hostname from the server and sometimes it doesn't. I want to do this by turning on logging and sending the output to a temp file. I am running F9 and so I changed the line in /etc/sysconfig/network-scripts/ifup-eth from:
if /sbin/dhclient ${DHCLIENTARGS} ${DEVICE}; then
if /sbin/dhclient ${DHCLIENTARGS} ${DEVICE} > /var/log/dhclient.log 2>&1; then
after changing the DHCLIENTARGS switch -q to -v. When this runs at boot time I get an empty /var/log/dhclient.log file. When I try to run dhclient manually I get a SELinux denial:
SELinux is preventing dhclient (dhcpc_t) "write" to /var/log/dhclient.log (var_log_t).
OK, that makes sense so what do I have to modify to allow the log file to be written? This is just temporary so I'm hoping that I don't have to modify policies, rule files etc, etc. The simplest thing I can think of is to change to permissive mode but is there a better way?
Here is the raw data:
Source Context: unconfined_u:system_r:dhcpc_t:SystemLow-SystemHigh
Target Context: system_u:object_r:var_log_t
Target Objects: /var/log/dhclient.log [ file ]
Source: dhclient
Source Path: /sbin/dhclient
Port: <Unknown>
Host: localhost.localdomain
Source RPM Packages: dhclient-4.0.0-22.fc9
Target RPM Packages:
Policy RPM: selinux-policy-3.3.1-119.fc9
Selinux Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Enforcing
Plugin Name: mislabeled_file
Host Name: localhost.localdomain
Platform: Linux localhost.localdomain 2.6.27.12-78.2.8.fc9.x86_64 #1 SMP Mon Jan 19 19:25:03 EST 2009 x86_64 x86_64
Alert Count: 1
First Seen: Fri 06 Feb 2009 10:15:51 AM EST
Last Seen: Fri 06 Feb 2009 10:15:51 AM EST
Local ID: f7b088b4-ffa8-4a8a-bd23-e075bf806d23
Line Numbers:
Raw Audit Messages :node=localhost.localdomain type=AVC msg=audit(1233933351.918:23): avc: denied { write } for pid=3311 comm="dhclient" path="/var/log/dhclient.log" dev=dm-0 ino=49873259 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file
node=localhost.localdomain type=AVC msg=audit(1233933351.918:23): avc: denied { write } for pid=3311 comm="dhclient" path="/var/log/dhclient.log" dev=dm-0 ino=49873259 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file
node=localhost.localdomain type=SYSCALL msg=audit(1233933351.918:23): arch=c000003e syscall=59 success=yes exit=0 a0=1ba6ba0 a1=1ba70e0 a2=1b8eba0 a3=3ff9d67a70 items=0 ppid=3175 pid=3311 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="dhclient" exe="/sbin/dhclient" subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null)
Thanks,
Steve
More information about the fedora-selinux-list
mailing list