dhclient denial F-11
Miroslav Grepl
mgrepl at redhat.com
Mon Jul 13 08:26:53 UTC 2009
On 07/10/2009 02:50 PM, Daniel J Walsh wrote:
> On 07/10/2009 03:58 AM, Paul Howarth wrote:
>> I get one of these every time my DHCP lease is renewed:
>>
>> type=AVC msg=audit(1247181873.317:23522): avc: denied { create } for
>> pid=31499 comm="mv" name="yp.conf.predhclient.br0"
>> scontext=unconfined_u:system_r:dhcpc_t:s0
>> tcontext=system_u:object_r:net_conf_t:s0 tclass=file
>> type=SYSCALL msg=audit(1247181873.317:23522): arch=c000003e syscall=2
>> success=no exit=-13 a0=7fff9e36ebcc a1=c1 a2=180 a3=65726373662f7274
>> items=0 ppid=31485 pid=31499 auid=1012 uid=0 gid=0 euid=0 suid=0 fsuid=0
>> egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="mv" exe="/bin/mv"
>> subj=unconfined_u:system_r:dhcpc_t:s0 key=(null)
>>
>> It originates from /etc/dhcp/dhclient.d/nis.sh in the ypbind package.
>>
>> Paul..
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> That is a new one, looks like you started dhclient by hand, and it is
> running as unconfined_u:system_r:dhcpc_t:s0, But some where in the
> tool it is trying to create a file labeled
> system_u:object_r:net_conf_t:s0
>
> unconfined_u creating a file with a user type of system_u is a
> constraint violation.
>
> The mv command tries to maintain the context of the context of the
> yp.conf.predhclient.br0 file which must have been created by dhclient
> when it was run as a service, so you get this denial.
>
> So I guess we need to allow dhcpc_t the ability to change the user
> componant of a file.
>
> Who said SELinux is not simple... :^(
>
> If you add the following in a module it should allow your app to work.
>
>
> domain_obj_id_change_exemption(dhcpc_t)
>
>
> Miroslav can you add this to sysnetwork.te for F10, F11.
>
I will add this to selinux-policy-3.6.12-66.fc11 and
selinux-policy-3.5.13-67.fc10
More information about the fedora-selinux-list
mailing list