AVCs on bringing up a network device via hotplug.

Aleksey Nogin aleksey at nogin.org
Thu Mar 11 16:33:37 UTC 2004 

On 11.03.2004 08:20, Bill Nottingham wrote:

> Perhaps we need a network-init role, used by /etc/init.d/network,
> that hotplug (and others) can transition to?

Yes, this seems like a good idea. "and others" should probably include 
at least APM/ACPI (for suspend/resume scripts).

But also note that part of the AVCs comes from the following fragment of 
/sbin/ifup:

...
# Remove any temporary references which were previously added to 
dhclient config
if [ -w /etc/dhclient-${DEVICE}.conf ] && [ -x /sbin/dhclient ] ; then
    LC_ALL=C grep -v "# temporary RHL ifup addition" 
/etc/dhclient-${DEVICE}.conf > /etc/dhclient-${DEVICE}.conf.ifupnew 2> 
/dev/null
    cat /etc/dhclient-${DEVICE}.conf.ifupnew > /etc/dhclient-${DEVICE}.conf
    rm -f /etc/dhclient-${DEVICE}.conf.ifupnew
fi

if [ -n "${DYNCONFIG}" ]; then
     PUMPARGS=$PUMPARGS
     DHCPCDARGS="$DHCPCDARGS -n"
     DHCLIENTARGS="${DHCLIENTARGS} -1 -q -lf 
/var/lib/dhcp/dhclient-${DEVICE}.leases -pf 
/var/run/dhclient-${DEVICE}.pid -cf /etc/dhclient-${DEVICE}.conf"
     if [ -n "${DHCP_HOSTNAME}" ]; then
        # Send a host-name to the DHCP server (requ. by some dhcp servers).
        PUMPARGS="${PUMPARGS} -h ${DHCP_HOSTNAME}"
        DHCPCDARGS="${DHCPCDARGS} -h ${DHCP_HOSTNAME}"
        if [ -x /sbin/dhclient ] ; then
           if [ -w /etc/dhclient-${DEVICE}.conf ] ; then
              if ! LC_ALL=C grep "send *host-name *\"${DHCP_HOSTNAME}\"" 
/etc/dhclient-${DEVICE}.conf > /dev/null 2>&1 ; then
                 echo "send host-name \"${DHCP_HOSTNAME}\";  # temporary 
RHL ifup addition" >> /etc/dhclient-${DEVICE}.conf
              fi
           elif ! [ -e /etc/dhclient-${DEVICE}.conf ] ; then
              echo "send host-name \"${DHCP_HOSTNAME}\";  # temporary 
RHL ifup addition" >> /etc/dhclient-${DEVICE}.conf
           fi
        fi
     fi
...

It seems that the least it could do is to check whether a "temporary RHL 
ifup addition" line is in fact present in the config _before_ trying to 
mess with it. And in general, allowing the ifup script to mess with the 
DHCP config does not seem like such a good idea.

-- 
Aleksey Nogin

Home Page: http://nogin.org/
E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907

More information about the fedora-selinux-list mailing list