USERCTL=yes - ifup by non-privileged user AVCs.

Aleksey Nogin aleksey at nogin.org
Fri Mar 12 20:10:31 UTC 2004


I have USERCTL=yes in my /etc/sysconfig/network-scripts/ifcfg-wvlan0 and 
I run "ifup wvlan0" as a non-privileged user. Of course, this generates 
a long list of AVC messages. Should there be some special policy 
provisions for the usernetctl?

security_compute_sid:  invalid context user_u:user_r:insmod_t for 
scontext=user_u:user_r:user_t tcontext=system_u:object_r:insmod_exec_t 
tclass=process
audit(1079121920.219:0): avc:  denied  { read write } for  pid=1123 
exe=/sbin/insmod path=/dev/pts/9 dev= ino=11 
scontext=user_u:user_r:insmod_t tcontext=user_u:object_r:user_devpts_t 
tclass=chr_file
audit(1079121920.231:0): avc:  denied  { getattr } for  pid=1046 
exe=/bin/bash path=/etc/dhclient.conf dev=hda2 ino=231943 
scontext=user_u:user_r:user_t tcontext=system_u:object_r:dhcp_etc_t 
tclass=file
audit(1079121920.233:0): avc:  denied  { create } for  pid=1124 
exe=/bin/bash name=dhclient-wvlan0.conf.ifupnew 
scontext=user_u:user_r:user_t tcontext=user_u:object_r:etc_t tclass=file
audit(1079121920.234:0): avc:  denied  { getattr } for  pid=17337 
exe=/usr/bin/fam path=/etc/mtab dev=hda2 ino=229229 
scontext=system_u:system_r:inetd_child_t 
tcontext=system_u:object_r:etc_runtime_t tclass=file
audit(1079121920.237:0): avc:  denied  { read } for  pid=1124 
exe=/bin/grep name=dhclient.conf dev=hda2 ino=231943 
scontext=user_u:user_r:user_t tcontext=system_u:object_r:dhcp_etc_t 
tclass=file
audit(1079121920.254:0): avc:  denied  { write } for  pid=1124 
exe=/bin/grep path=/etc/dhclient-wvlan0.conf.ifupnew dev=hda2 
ino=2191270 scontext=user_u:user_r:user_t tcontext=user_u:object_r:etc_t 
tclass=file
audit(1079121920.259:0): avc:  denied  { write } for  pid=1125 
exe=/bin/bash name=dhclient.conf dev=hda2 ino=231943 
scontext=user_u:user_r:user_t tcontext=system_u:object_r:dhcp_etc_t 
tclass=file
audit(1079121920.268:0): avc:  denied  { unlink } for  pid=1126 
exe=/bin/rm name=dhclient-wvlan0.conf.ifupnew dev=hda2 ino=2191270 
scontext=user_u:user_r:user_t tcontext=user_u:object_r:etc_t tclass=file
audit(1079121920.421:0): avc:  denied  { search } for  pid=1144 
exe=/sbin/dhclient name=dhcp dev=hda2 ino=1815097 
scontext=user_u:user_r:user_t tcontext=system_u:object_r:dhcp_state_t 
tclass=dir
audit(1079121920.422:0): avc:  denied  { read } for  pid=1144 
exe=/sbin/dhclient name=dhclient-wvlan0.leases dev=hda2 ino=1815259 
scontext=user_u:user_r:user_t tcontext=system_u:object_r:dhcpc_state_t 
tclass=file
audit(1079121920.422:0): avc:  denied  { write } for  pid=1144 
exe=/sbin/dhclient name=dhclient-wvlan0.leases dev=hda2 ino=1815259 
scontext=user_u:user_r:user_t tcontext=system_u:object_r:dhcpc_state_t 
tclass=file
audit(1079121920.442:0): avc:  denied  { getattr } for  pid=1144 
exe=/sbin/dhclient path=/var/lib/dhcp/dhclient-wvlan0.leases dev=hda2 
ino=1815259 scontext=user_u:user_r:user_t 
tcontext=system_u:object_r:dhcpc_state_t tclass=file
wvlan0: New link status: Connected (0001)
audit(1079121921.923:0): avc:  denied  { create } for  pid=1144 
exe=/sbin/dhclient scontext=user_u:user_r:user_t 
tcontext=user_u:user_r:user_t tclass=packet_socket
audit(1079121921.923:0): avc:  denied  { bind } for  pid=1144 
exe=/sbin/dhclient scontext=user_u:user_r:user_t 
tcontext=user_u:user_r:user_t tclass=packet_socket
audit(1079121921.928:0): avc:  denied  { setopt } for  pid=1144 
exe=/sbin/dhclient scontext=user_u:user_r:user_t 
tcontext=user_u:user_r:user_t tclass=packet_socket
audit(1079121921.928:0): avc:  denied  { name_bind } for  pid=1144 
exe=/sbin/dhclient src=68 scontext=user_u:user_r:user_t 
tcontext=system_u:object_r:dhcpc_port_t tclass=udp_socket
audit(1079121921.929:0): avc:  denied  { write } for  pid=1144 
exe=/sbin/dhclient scontext=user_u:user_r:user_t 
tcontext=user_u:user_r:user_t tclass=packet_socket
audit(1079121922.935:0): avc:  denied  { read } for  pid=1144 
exe=/sbin/dhclient path=socket:[5287768] dev= ino=5287768 
scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t 
tclass=packet_socket
audit(1079121923.662:0): avc:  denied  { write } for  pid=1247 
exe=/sbin/dhclient name=dhclient-wvlan0.pid dev=hda2 ino=179909 
scontext=user_u:user_r:user_t tcontext=system_u:object_r:dhcpc_var_run_t 
tclass=file

-- 
Aleksey Nogin

Home Page: http://nogin.org/
E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907




More information about the fedora-selinux-list mailing list