temp files & debugging

Steve zephod at cfl.rr.com
Mon Feb 9 14:22:22 UTC 2009 

I am attempting to figure out why my dhclient process sometimes gets the correct hostname from the server and sometimes it doesn't. I want to do this by turning on logging and sending the output to a temp file. I am running F9 and so I changed the line in /etc/sysconfig/network-scripts/ifup-eth from:

if /sbin/dhclient ${DHCLIENTARGS} ${DEVICE}; then
if /sbin/dhclient ${DHCLIENTARGS} ${DEVICE} > /var/log/dhclient.log 2>&1; then

after changing the DHCLIENTARGS switch -q to -v. When this runs at boot time I get an empty /var/log/dhclient.log file. When I try to run dhclient manually I get a SELinux denial:

SELinux is preventing dhclient (dhcpc_t) "write" to /var/log/dhclient.log (var_log_t).

OK, that makes sense so what do I have to modify to allow the log file to be written? This is just temporary so I'm hoping that I don't have to modify policies, rule files etc, etc. The simplest thing I can think of is to change to permissive mode but is there a better way?

Here is the raw data:

Source Context:  unconfined_u:system_r:dhcpc_t:SystemLow-SystemHigh
Target Context:  system_u:object_r:var_log_t
Target Objects:  /var/log/dhclient.log [ file ]
Source:  dhclient
Source Path:  /sbin/dhclient
Port:  <Unknown>
Host:  localhost.localdomain
Source RPM Packages:  dhclient-4.0.0-22.fc9
Target RPM Packages:  
Policy RPM:  selinux-policy-3.3.1-119.fc9
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  mislabeled_file
Host Name:  localhost.localdomain
Platform:  Linux localhost.localdomain 2.6.27.12-78.2.8.fc9.x86_64 #1 SMP Mon Jan 19 19:25:03 EST 2009 x86_64 x86_64
Alert Count:  1
First Seen:  Fri 06 Feb 2009 10:15:51 AM EST
Last Seen:  Fri 06 Feb 2009 10:15:51 AM EST
Local ID:  f7b088b4-ffa8-4a8a-bd23-e075bf806d23
Line Numbers:  

Raw Audit Messages :node=localhost.localdomain type=AVC msg=audit(1233933351.918:23): avc: denied { write } for pid=3311 comm="dhclient" path="/var/log/dhclient.log" dev=dm-0 ino=49873259 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file 

node=localhost.localdomain type=AVC msg=audit(1233933351.918:23): avc: denied { write } for pid=3311 comm="dhclient" path="/var/log/dhclient.log" dev=dm-0 ino=49873259 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file 

node=localhost.localdomain type=SYSCALL msg=audit(1233933351.918:23): arch=c000003e syscall=59 success=yes exit=0 a0=1ba6ba0 a1=1ba70e0 a2=1b8eba0 a3=3ff9d67a70 items=0 ppid=3175 pid=3311 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="dhclient" exe="/sbin/dhclient" subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null) 

Thanks, 
Steve

More information about the fedora-selinux-list mailing list