dhclient denial F-11

Fri Jul 10 13:46:46 UTC 2009

On 07/10/2009 09:03 AM, Paul Howarth wrote:
> On 10/07/09 13:50, Daniel J Walsh wrote:
>> On 07/10/2009 03:58 AM, Paul Howarth wrote:
>>> I get one of these every time my DHCP lease is renewed:
>>>
>>> type=AVC msg=audit(1247181873.317:23522): avc: denied { create } for
>>> pid=31499 comm="mv" name="yp.conf.predhclient.br0"
>>> scontext=unconfined_u:system_r:dhcpc_t:s0
>>> tcontext=system_u:object_r:net_conf_t:s0 tclass=file
>>> type=SYSCALL msg=audit(1247181873.317:23522): arch=c000003e syscall=2
>>> success=no exit=-13 a0=7fff9e36ebcc a1=c1 a2=180 a3=65726373662f7274
>>> items=0 ppid=31485 pid=31499 auid=1012 uid=0 gid=0 euid=0 suid=0 fsuid=0
>>> egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="mv" exe="/bin/mv"
>>> subj=unconfined_u:system_r:dhcpc_t:s0 key=(null)
>>>
>>> It originates from /etc/dhcp/dhclient.d/nis.sh in the ypbind package.
>>>
>>> Paul..
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> That is a new one, looks like you started dhclient by hand, and it is
>> running as unconfined_u:system_r:dhcpc_t:s0, But some where in the tool
>> it is trying to create a file labeled system_u:object_r:net_conf_t:s0
>>
>> unconfined_u creating a file with a user type of system_u is a
>> constraint violation.
>>
>> The mv command tries to maintain the context of the context of the
>> yp.conf.predhclient.br0 file which must have been created by dhclient
>> when it was run as a service, so you get this denial.
>>
>> So I guess we need to allow dhcpc_t the ability to change the user
>> componant of a file.
>>
>> Who said SELinux is not simple... :^(
>
> I seem to have a lot of processes like this:
>
> # ps uaxZ|grep unconfined_u:system_r:
> unconfined_u:system_r:auditd_t:s0 root 701 0.0 0.0 27464 428 ? S<sl
> Jun24 0:00 auditd
> unconfined_u:system_r:audisp_t:s0 root 703 0.0 0.0 81920 420 ? S<sl
> Jun24 0:00 /sbin/audispd
> unconfined_u:system_r:audisp_t:s0 root 704 0.0 0.0 97764 648 ? S< Jun24
> 0:00 /usr/sbin/sedispatch
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 5678 0.0 0.0
> 89008 788 pts/0 S+ 14:00 0:00 grep unconfined_u:system_r:
> unconfined_u:system_r:ntpd_t:s0 ntp 5700 0.0 0.0 58984 696 ? Ss Jun23
> 0:04 ntpd -u ntp:ntp -p /var/run/ntpd.pid -g
> unconfined_u:system_r:dhcpc_t:s0 root 5702 0.0 0.0 6856 356 ? Ss Jun23
> 0:00 /sbin/dhclient -1 -q -lf /var/lib/dhclient/dhclient-br0.leases -pf
> /var/run/dhclient-br0.pid br0
> unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 root 5835 0.3 0.1 466888
> 2844 ? Sl Jun23 74:12 libvirtd --daemon
> unconfined_u:system_r:dnsmasq_t:s0-s0:c0.c1023 nobody 5895 0.0 0.0 12584
> 300 ? S Jun23 0:00 /usr/sbin/dnsmasq --strict-order --bind-interfaces
> --pid-file=/var/run/libvirt/network/default.pid --conf-file=
> --listen-address 192.168.122.1 --except-interface lo --dhcp-range
> 192.168.122.2,192.168.122.254
> unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 root 9606 0.0 0.0 63236 312
> ? Ss Jun23 0:00 /usr/sbin/sshd
> unconfined_u:system_r:avahi_t:s0 avahi 9690 0.0 0.0 60036 912 ? Ss Jul01
> 0:00 avahi-daemon: registering [roary.local]
> unconfined_u:system_r:avahi_t:s0 avahi 9691 0.0 0.0 59868 156 ? Ss Jul01
> 0:00 avahi-daemon: chroot helper
> unconfined_u:system_r:rpcbind_t:s0 rpc 17479 0.0 0.0 18788 308 ? Ss
> Jun29 0:00 rpcbind -w
> unconfined_u:system_r:crond_t:s0-s0:c0.c1023 root 17538 0.0 0.0 100292
> 464 ? Ss Jun29 0:02 crond
>
> Why are some processes starting in system_u and some in unconfined_u?
> I'm always mindful to do "service xyz restart" rather than starting
> things manually. It's not just one machine either.
>
> Paul.
>
>
>
If you execute service xyz restart, xyz will run as unconfined_u, if the 
system does it at boot it will run as system_u.  You can use run_init if 
you choose to get it to run as system_u
run_init service xyz restart
(If you want to use this form, put pam_rootok in /etc/pam.d/run_init, 
for you sanity.   :^))