List of selinux issues
Warren Togami
warren at togami.com
Tue Apr 6 22:51:45 UTC 2004
Daniel J Walsh wrote:
>> 1) Infinite Loop of these messages when using "/sbin/ifup eth0" as
>> non-root user. This is allowed when enforcement is disabled. CTRL-C
>> is abled to stop the looping.
>>
>> Apr 5 21:07:28 ibmlaptop kernel: audit(1081235248.571:0): avc:
>> denied { setuid } for pid=2463 exe=/bin/bash capability=7
>> scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t
>> tclass=capability
>> Apr 5 21:07:28 ibmlaptop kernel: audit(1081235248.589:0): avc:
>> denied { setuid } for pid=2463 exe=/usr/sbin/usernetctl capability=7
>> scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t
>> tclass=capability
>>
>>
> I am not sure how you set this up to work. I execute /sbin/ifup eth0
> and I get
> Users cannot control this device.
>
/etc/sysconfig/network-scripts/ifcfg-eth0 must contain
USERCTL=yes
>> 2) "su -" from my non-root user caused this error. I was however
>> allowed to work as root.
>>
>> Apr 5 21:07:42 ibmlaptop su(pam_unix)[12399]: session opened for user
>> root by warren(uid=500)
>> Apr 5 21:07:42 ibmlaptop su[12399]: pam_xauth: error creating
>> temporary file `/root/.xauthsDAz4e': Permission denied
>> Apr 5 21:07:42 ibmlaptop kernel: audit(1081235262.772:0): avc:
>> denied { write } for pid=12399 exe=/bin/su name=root dev=hda2
>> ino=1291809 scontext=user_u:user_r:user_su_t
>> tcontext=root:object_r:staff_home_dir_t tclass=dir
>>
>>
> This should be fixed in latest policy 1.9.2-12
policy-1.9.2-12
I relabeled after upgrading to this version immediately before the above
denied errors happened.
>
>> 3) Then as root, I used "ifup eth0" which succeeded, but with the
>> following in /var/log/messages.
>>
>> Apr 5 21:07:45 ibmlaptop kernel: audit(1081235265.089:0): avc:
>> denied { search } for pid=12493 exe=/sbin/dhclient name=lib dev=hda2
>> ino=1389922 scontext=root:system_r:dhcpc_t
>> tcontext=system_u:object_r:home_root_t tclass=dir
>> Apr 5 21:07:45 ibmlaptop kernel: audit(1081235265.089:0): avc:
>> denied { search } for pid=12493 exe=/sbin/dhclient name=lib dev=hda2
>> ino=1389922 scontext=root:system_r:dhcpc_t
>> tcontext=system_u:object_r:home_root_t tclass=dir
>> Apr 5 21:07:45 ibmlaptop dhclient: can't create
>> /var/lib/dhcp/dhclient-eth0.leases: Permission denied
>> Apr 5 21:07:46 ibmlaptop dhclient: sit0: unknown hardware address
>> type 776
>> Apr 5 21:07:48 ibmlaptop dhclient: DHCPDISCOVER on eth0 to
>> 255.255.255.255 port 67 interval 4
>> Apr 5 21:07:48 ibmlaptop dhclient: DHCPOFFER from 172.31.16.1
>> Apr 5 21:07:48 ibmlaptop dhclient: DHCPREQUEST on eth0 to
>> 255.255.255.255 port 67
>> Apr 5 21:07:48 ibmlaptop dhclient: DHCPACK from 172.31.16.1
>> Apr 5 21:07:48 ibmlaptop dhclient: can't create
>> /var/lib/dhcp/dhclient-eth0.leases: Permission denied
>> Apr 5 21:07:48 ibmlaptop dhclient: bound to 172.31.16.101 -- renewal
>> in 356918 seconds.
>> Apr 5 21:07:48 ibmlaptop kernel: audit(1081235268.039:0): avc:
>> denied { search } for pid=12493 exe=/sbin/dhclient name=lib dev=hda2
>> ino=1389922 scontext=root:system_r:dhcpc_t
>> tcontext=system_u:object_r:home_root_t tclass=dir
>>
> Added policy to allow this , but not sure what it is trying todo. Could
> you try it in non-enforcing mode and grab the avc messages.
>
Apr 6 12:49:06 ibmlaptop kernel: audit(1081291746.752:0): avc: denied
{ search } for pid=14826 exe=/sbin/dhclient name=lib dev=hda2
ino=1389922 scontext=root:system_r:dhcpc_t
tcontext=system_u:object_r:home_root_t tclass=dir
Apr 6 12:49:06 ibmlaptop kernel: audit(1081291746.919:0): avc: denied
{ getattr } for pid=14837 exe=/bin/gawk path=/dev/pts/6 dev= ino=8
scontext=root:system_r:dhcpc_t tcontext=root:object_r:sysadm_devpts_t
tclass=chr_file
Apr 6 12:49:10 ibmlaptop dhclient: DHCPREQUEST on eth0 to
255.255.255.255 port 67
Apr 6 12:49:10 ibmlaptop dhclient: DHCPACK from 172.31.16.1
Apr 6 12:49:10 ibmlaptop dhclient: bound to 172.31.16.101 -- renewal in
379377 seconds.
More information about the fedora-selinux-list
mailing list