List of selinux issues

Tue Apr 6 22:51:45 UTC 2004

Daniel J Walsh wrote:
>> 1) Infinite Loop of these messages when using "/sbin/ifup eth0" as 
>> non-root user.  This is allowed when enforcement is disabled.  CTRL-C 
>> is abled to stop the looping.
>>
>> Apr  5 21:07:28 ibmlaptop kernel: audit(1081235248.571:0): avc:  
>> denied  { setuid } for  pid=2463 exe=/bin/bash capability=7 
>> scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t 
>> tclass=capability
>> Apr  5 21:07:28 ibmlaptop kernel: audit(1081235248.589:0): avc:  
>> denied  { setuid } for  pid=2463 exe=/usr/sbin/usernetctl capability=7 
>> scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t 
>> tclass=capability
>>
>>
> I am not sure how you set this up to work.  I execute /sbin/ifup eth0 
> and I get
> Users cannot control this device.
> 

/etc/sysconfig/network-scripts/ifcfg-eth0 must contain

USERCTL=yes

>> 2) "su -" from my non-root user caused this error.  I was however 
>> allowed to work as root.
>>
>> Apr  5 21:07:42 ibmlaptop su(pam_unix)[12399]: session opened for user 
>> root by warren(uid=500)
>> Apr  5 21:07:42 ibmlaptop su[12399]: pam_xauth: error creating 
>> temporary file `/root/.xauthsDAz4e': Permission denied
>> Apr  5 21:07:42 ibmlaptop kernel: audit(1081235262.772:0): avc:  
>> denied  { write } for  pid=12399 exe=/bin/su name=root dev=hda2 
>> ino=1291809 scontext=user_u:user_r:user_su_t 
>> tcontext=root:object_r:staff_home_dir_t tclass=dir
>>
>>
> This should be fixed in latest policy 1.9.2-12

policy-1.9.2-12

I relabeled after upgrading to this version immediately before the above 
denied errors happened.

> 
>> 3) Then as root, I used "ifup eth0" which succeeded, but with the 
>> following in /var/log/messages.
>>
>> Apr  5 21:07:45 ibmlaptop kernel: audit(1081235265.089:0): avc:  
>> denied  { search } for  pid=12493 exe=/sbin/dhclient name=lib dev=hda2 
>> ino=1389922 scontext=root:system_r:dhcpc_t 
>> tcontext=system_u:object_r:home_root_t tclass=dir
>> Apr  5 21:07:45 ibmlaptop kernel: audit(1081235265.089:0): avc:  
>> denied  { search } for  pid=12493 exe=/sbin/dhclient name=lib dev=hda2 
>> ino=1389922 scontext=root:system_r:dhcpc_t 
>> tcontext=system_u:object_r:home_root_t tclass=dir
>> Apr  5 21:07:45 ibmlaptop dhclient: can't create 
>> /var/lib/dhcp/dhclient-eth0.leases: Permission denied
>> Apr  5 21:07:46 ibmlaptop dhclient: sit0: unknown hardware address 
>> type 776
>> Apr  5 21:07:48 ibmlaptop dhclient: DHCPDISCOVER on eth0 to 
>> 255.255.255.255 port 67 interval 4
>> Apr  5 21:07:48 ibmlaptop dhclient: DHCPOFFER from 172.31.16.1
>> Apr  5 21:07:48 ibmlaptop dhclient: DHCPREQUEST on eth0 to 
>> 255.255.255.255 port 67
>> Apr  5 21:07:48 ibmlaptop dhclient: DHCPACK from 172.31.16.1
>> Apr  5 21:07:48 ibmlaptop dhclient: can't create 
>> /var/lib/dhcp/dhclient-eth0.leases: Permission denied
>> Apr  5 21:07:48 ibmlaptop dhclient: bound to 172.31.16.101 -- renewal 
>> in 356918 seconds.
>> Apr  5 21:07:48 ibmlaptop kernel: audit(1081235268.039:0): avc:  
>> denied  { search } for  pid=12493 exe=/sbin/dhclient name=lib dev=hda2 
>> ino=1389922 scontext=root:system_r:dhcpc_t 
>> tcontext=system_u:object_r:home_root_t tclass=dir
>>
> Added policy to allow this , but not sure what it is trying todo.  Could 
> you try it in non-enforcing mode and grab the avc messages.
> 

Apr  6 12:49:06 ibmlaptop kernel: audit(1081291746.752:0): avc:  denied 
  { search } for  pid=14826 exe=/sbin/dhclient name=lib dev=hda2 
ino=1389922 scontext=root:system_r:dhcpc_t 
tcontext=system_u:object_r:home_root_t tclass=dir
Apr  6 12:49:06 ibmlaptop kernel: audit(1081291746.919:0): avc:  denied 
  { getattr } for  pid=14837 exe=/bin/gawk path=/dev/pts/6 dev= ino=8 
scontext=root:system_r:dhcpc_t tcontext=root:object_r:sysadm_devpts_t 
tclass=chr_file
Apr  6 12:49:10 ibmlaptop dhclient: DHCPREQUEST on eth0 to 
255.255.255.255 port 67
Apr  6 12:49:10 ibmlaptop dhclient: DHCPACK from 172.31.16.1
Apr  6 12:49:10 ibmlaptop dhclient: bound to 172.31.16.101 -- renewal in 
379377 seconds.