dhclient denial F-11

Fri Jul 10 13:03:54 UTC 2009

On 10/07/09 13:50, Daniel J Walsh wrote:
> On 07/10/2009 03:58 AM, Paul Howarth wrote:
>> I get one of these every time my DHCP lease is renewed:
>>
>> type=AVC msg=audit(1247181873.317:23522): avc: denied { create } for
>> pid=31499 comm="mv" name="yp.conf.predhclient.br0"
>> scontext=unconfined_u:system_r:dhcpc_t:s0
>> tcontext=system_u:object_r:net_conf_t:s0 tclass=file
>> type=SYSCALL msg=audit(1247181873.317:23522): arch=c000003e syscall=2
>> success=no exit=-13 a0=7fff9e36ebcc a1=c1 a2=180 a3=65726373662f7274
>> items=0 ppid=31485 pid=31499 auid=1012 uid=0 gid=0 euid=0 suid=0 fsuid=0
>> egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="mv" exe="/bin/mv"
>> subj=unconfined_u:system_r:dhcpc_t:s0 key=(null)
>>
>> It originates from /etc/dhcp/dhclient.d/nis.sh in the ypbind package.
>>
>> Paul..
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> That is a new one, looks like you started dhclient by hand, and it is
> running as unconfined_u:system_r:dhcpc_t:s0, But some where in the tool
> it is trying to create a file labeled system_u:object_r:net_conf_t:s0
>
> unconfined_u creating a file with a user type of system_u is a
> constraint violation.
>
> The mv command tries to maintain the context of the context of the
> yp.conf.predhclient.br0 file which must have been created by dhclient
> when it was run as a service, so you get this denial.
>
> So I guess we need to allow dhcpc_t the ability to change the user
> componant of a file.
>
> Who said SELinux is not simple... :^(

I seem to have a lot of processes like this:

# ps uaxZ|grep  unconfined_u:system_r:
unconfined_u:system_r:auditd_t:s0 root     701  0.0  0.0  27464   428 ? 
        S<sl Jun24   0:00 auditd
unconfined_u:system_r:audisp_t:s0 root     703  0.0  0.0  81920   420 ? 
        S<sl Jun24   0:00 /sbin/audispd
unconfined_u:system_r:audisp_t:s0 root     704  0.0  0.0  97764   648 ? 
        S<   Jun24   0:00 /usr/sbin/sedispatch
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 5678 0.0  0.0 
89008 788 pts/0 S+ 14:00   0:00 grep unconfined_u:system_r:
unconfined_u:system_r:ntpd_t:s0 ntp       5700  0.0  0.0  58984   696 ? 
        Ss   Jun23   0:04 ntpd -u ntp:ntp -p /var/run/ntpd.pid -g
unconfined_u:system_r:dhcpc_t:s0 root     5702  0.0  0.0   6856   356 ? 
        Ss   Jun23   0:00 /sbin/dhclient -1 -q -lf 
/var/lib/dhclient/dhclient-br0.leases -pf /var/run/dhclient-br0.pid br0
unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 root 5835 0.3  0.1 466888 
2844 ?  Sl   Jun23  74:12 libvirtd --daemon
unconfined_u:system_r:dnsmasq_t:s0-s0:c0.c1023 nobody 5895 0.0  0.0 
12584 300 ? S   Jun23   0:00 /usr/sbin/dnsmasq --strict-order 
--bind-interfaces --pid-file=/var/run/libvirt/network/default.pid 
--conf-file=  --listen-address 192.168.122.1 --except-interface lo 
--dhcp-range 192.168.122.2,192.168.122.254
unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 root 9606 0.0  0.0 63236 312 
?     Ss   Jun23   0:00 /usr/sbin/sshd
unconfined_u:system_r:avahi_t:s0 avahi    9690  0.0  0.0  60036   912 ? 
        Ss   Jul01   0:00 avahi-daemon: registering [roary.local]
unconfined_u:system_r:avahi_t:s0 avahi    9691  0.0  0.0  59868   156 ? 
        Ss   Jul01   0:00 avahi-daemon: chroot helper
unconfined_u:system_r:rpcbind_t:s0 rpc   17479  0.0  0.0  18788   308 ? 
        Ss   Jun29   0:00 rpcbind -w
unconfined_u:system_r:crond_t:s0-s0:c0.c1023 root 17538 0.0  0.0 100292 
464 ?  Ss   Jun29   0:02 crond

Why are some processes starting in system_u and some in unconfined_u? 
I'm always mindful to do "service xyz restart" rather than starting 
things manually. It's not just one machine either.

Paul.