[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: List of selinux issues



Daniel J Walsh wrote:
1) Infinite Loop of these messages when using "/sbin/ifup eth0" as non-root user. This is allowed when enforcement is disabled. CTRL-C is abled to stop the looping.

Apr 5 21:07:28 ibmlaptop kernel: audit(1081235248.571:0): avc: denied { setuid } for pid=2463 exe=/bin/bash capability=7 scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=capability
Apr 5 21:07:28 ibmlaptop kernel: audit(1081235248.589:0): avc: denied { setuid } for pid=2463 exe=/usr/sbin/usernetctl capability=7 scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=capability



I am not sure how you set this up to work. I execute /sbin/ifup eth0 and I get
Users cannot control this device.



/etc/sysconfig/network-scripts/ifcfg-eth0 must contain


USERCTL=yes


2) "su -" from my non-root user caused this error. I was however allowed to work as root.

Apr 5 21:07:42 ibmlaptop su(pam_unix)[12399]: session opened for user root by warren(uid=500)
Apr 5 21:07:42 ibmlaptop su[12399]: pam_xauth: error creating temporary file `/root/.xauthsDAz4e': Permission denied
Apr 5 21:07:42 ibmlaptop kernel: audit(1081235262.772:0): avc: denied { write } for pid=12399 exe=/bin/su name=root dev=hda2 ino=1291809 scontext=user_u:user_r:user_su_t tcontext=root:object_r:staff_home_dir_t tclass=dir



This should be fixed in latest policy 1.9.2-12

policy-1.9.2-12


I relabeled after upgrading to this version immediately before the above denied errors happened.


3) Then as root, I used "ifup eth0" which succeeded, but with the following in /var/log/messages.

Apr 5 21:07:45 ibmlaptop kernel: audit(1081235265.089:0): avc: denied { search } for pid=12493 exe=/sbin/dhclient name=lib dev=hda2 ino=1389922 scontext=root:system_r:dhcpc_t tcontext=system_u:object_r:home_root_t tclass=dir
Apr 5 21:07:45 ibmlaptop kernel: audit(1081235265.089:0): avc: denied { search } for pid=12493 exe=/sbin/dhclient name=lib dev=hda2 ino=1389922 scontext=root:system_r:dhcpc_t tcontext=system_u:object_r:home_root_t tclass=dir
Apr 5 21:07:45 ibmlaptop dhclient: can't create /var/lib/dhcp/dhclient-eth0.leases: Permission denied
Apr 5 21:07:46 ibmlaptop dhclient: sit0: unknown hardware address type 776
Apr 5 21:07:48 ibmlaptop dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 4
Apr 5 21:07:48 ibmlaptop dhclient: DHCPOFFER from 172.31.16.1
Apr 5 21:07:48 ibmlaptop dhclient: DHCPREQUEST on eth0 to 255.255.255.255 port 67
Apr 5 21:07:48 ibmlaptop dhclient: DHCPACK from 172.31.16.1
Apr 5 21:07:48 ibmlaptop dhclient: can't create /var/lib/dhcp/dhclient-eth0.leases: Permission denied
Apr 5 21:07:48 ibmlaptop dhclient: bound to 172.31.16.101 -- renewal in 356918 seconds.
Apr 5 21:07:48 ibmlaptop kernel: audit(1081235268.039:0): avc: denied { search } for pid=12493 exe=/sbin/dhclient name=lib dev=hda2 ino=1389922 scontext=root:system_r:dhcpc_t tcontext=system_u:object_r:home_root_t tclass=dir


Added policy to allow this , but not sure what it is trying todo. Could you try it in non-enforcing mode and grab the avc messages.


Apr 6 12:49:06 ibmlaptop kernel: audit(1081291746.752:0): avc: denied { search } for pid=14826 exe=/sbin/dhclient name=lib dev=hda2 ino=1389922 scontext=root:system_r:dhcpc_t tcontext=system_u:object_r:home_root_t tclass=dir
Apr 6 12:49:06 ibmlaptop kernel: audit(1081291746.919:0): avc: denied { getattr } for pid=14837 exe=/bin/gawk path=/dev/pts/6 dev= ino=8 scontext=root:system_r:dhcpc_t tcontext=root:object_r:sysadm_devpts_t tclass=chr_file
Apr 6 12:49:10 ibmlaptop dhclient: DHCPREQUEST on eth0 to 255.255.255.255 port 67
Apr 6 12:49:10 ibmlaptop dhclient: DHCPACK from 172.31.16.1
Apr 6 12:49:10 ibmlaptop dhclient: bound to 172.31.16.101 -- renewal in 379377 seconds.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]