AVC Denied Dhcp and Iptables.

Daniel J Walsh dwalsh at redhat.com
Mon Jul 16 13:27:00 UTC 2007 

Wart wrote:
> Daniel J Walsh wrote:
>> piotreek wrote:
>>> Hi guys i found some strange messages in my logs. It seams that 
>>> selinux is blocking a dhcp  an Iptables.
>>> I found similar post on group about DHCP but my messages are 
>>> different.I am using FC7 latest policy update didn't resolve the 
>>> problem.
>>> P.S I am using firestater as my firewall.
>> I believe you will need to write custom policy to make this work.  
>> You can simply add these rules using audit2allow.
>>
>> # grep dhcpc /var/log/audit/audit.log | audit2allow -M mydhcpc
>>
>> # semodule -i mydhcpc.pp
>>
>> Having dhcpc allowed to turn on/off firewall rules is of debatable 
>> security risk.
>
> I'm noticing similar behavior with dhcp and ntp.  It seems that for 
> some reason the dhcp client is trying to play with ntp (probably 
> because I define the ntp server in the dhcp server config) and failing:
>
> type=AVC msg=audit(1184457984.239:75): avc:  denied  { remove_name } 
> for  pid=6370 comm="rm" name="ntpd" dev=sdc1 ino=1632966 
> scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
> type=AVC msg=audit(1184457984.239:75): avc:  denied  { unlink } for 
> pid=6370 comm="rm" name="ntpd" dev=sdc1 ino=1632966 
> scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:object_r:var_lock_t:s0 tclass=file
> type=AVC msg=audit(1184457984.253:76): avc:  denied  { add_name } for 
> pid=6377 comm="touch" name="ntpd" 
> scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
> type=AVC msg=audit(1184457984.253:76): avc:  denied  { create } for 
> pid=6377 comm="touch" name="ntpd" 
> scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:object_r:var_lock_t:s0 tclass=file
> type=AVC msg=audit(1184457984.254:77): avc:  denied  { write } for 
> pid=6377 comm="touch" name="ntpd" dev=sdc1 ino=1632966 
> scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:object_r:var_lock_t:s0 tclass=file
>
> I can easily write a custom policy to allow this, but it feels like a 
> common enough configuration (ntp server configured by dhcp) that there 
> should be a global policy (or boolean?) to allow this to work.
>
> --Mike
>
Did it work in enforcing mode?  Currently the policy says to dontaudit 
search of the locks directory, which should have prevented these avc 
messages in enforcing mode.  If it works in enforcing mode, these
avc's can be ignored.
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the fedora-selinux-list mailing list