a few more problem with the latest policy

Farkas Levente lfarkas at bppiac.hu
Fri Jul 15 15:25:32 UTC 2005 

Daniel J Walsh wrote:
> Farkas Levente wrote:
> 
>> hi,
>> a few problem with the latest policy file.
>> allow dhcpc_t etc_t:file { unlink write };
> 
> 
> restorecon /etc/resolv.conf*

there is a few more strange thing. first of all there is no restorecon, 
os i install policycoreutils (but it cna be another bug since how is it 
possible that policycoreutils is not among the required packages?) 
anyway this do not change anything so probaly this won't solve the problem:
-----------------------------------------
[root at eagle ~]# ls -aZ /etc/resolv.conf*
-rw-rw-r--  root     root 
/etc/resolv.conf
-rw-rw-r--  root     root     user_u:object_r:file_t 
/etc/resolv.conf.bak
-rw-rw-r--  root     root     user_u:object_r:file_t 
/etc/resolv.conf.predhclient
[root at eagle ~]# restorecon /etc/resolv.conf*
[root at eagle ~]# ls -aZ /etc/resolv.conf*
-rw-rw-r--  root     root 
/etc/resolv.conf
-rw-rw-r--  root     root     user_u:object_r:file_t 
/etc/resolv.conf.bak
-rw-rw-r--  root     root     user_u:object_r:file_t 
/etc/resolv.conf.predhclient
-----------------------------------------

>> allow ifconfig_t initrc_t:udp_socket { read write };
> 
> 
> No idea what is causing this.

when i got it i issue an ifdown eth0; ifup eth0 and from the log file it 
seems there is an awk somewhere in ifdown of ifup...

>> ------------------------------------------
>> and here is the relevant part of the log file
>> ------------------------------------------
>> audit(1121423510.841:2): avc:  denied  { read write } for  pid=2215 
>> comm="ip" name="[6542]" dev=sockfs ino=6542 
>> scontext=system_u:system_r:ifconfig_t 
>> tcontext=system_u:system_r:initrc_t tclass=udp_socket
>> audit(1121423510.846:3): avc:  denied  { read write } for  pid=2218 
>> comm="ip" name="[6542]" dev=sockfs ino=6542 
>> scontext=system_u:system_r:ifconfig_t 
>> tcontext=system_u:system_r:initrc_t tclass=udp_socket
>> audit(1121423655.473:4): avc:  denied  { write } for  pid=2888 
>> comm="cp" name="resolv.conf.predhclient" dev=hda2 ino=3997781 
>> scontext=root:system_r:dhcpc_t tcontext=root:object_r:etc_t tclass=file
>> audit(1121423655.473:5): avc:  denied  { unlink } for  pid=2888 
>> comm="cp" name="resolv.conf.predhclient" dev=hda2 ino=3997781 
>> scontext=root:system_r:dhcpc_t tcontext=root:object_r:etc_t tclass=file
>> audit(1121423736.907:6): avc:  denied  { ioctl } for  pid=2982 
>> comm="awk" name="state" dev=proc ino=-268434831 
>> scontext=system_u:system_r:apmd_t tcontext=system_u:object_r:proc_t 
>> tclass=file
>> ------------------------------------------
>> yours.
>>
> 
> 


-- 
   Levente                               "Si vis pacem para bellum!"

More information about the fedora-selinux-list mailing list