Bug 244010

Summary: SELinux is preventing <file> from using potentially mislabeled files resolv.conf (net_conf_t)
Product: Red Hat Enterprise Linux 5 Reporter: Ondrej Sevcik <osevcik>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: 5.0CC: dwalsh, ldimaggi, mvecera
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-06-13 13:24:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Ondrej Sevcik 2007-06-13 10:56:29 UTC
Description of problem:
Related to https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244008
If i try to access some server from Perl script using DNS instead IP, it is 
denied by SEL:

Source Context                root:system_r:httpd_sys_script_t
Target Context                system_u:object_r:net_conf_t
Target Objects                resolv.conf [ file ]
Affected RPM Packages
Policy RPM                    selinux-policy-2.4.6-74.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.httpd_bad_labels
Host Name                     dhcp-lab-220.englab.brq.redhat.com
Platform                      Linux dhcp-lab-220.englab.brq.redhat.com
                              2.6.18-8.1.4.el5 #1 SMP Fri May 4 22:15:13 EDT
                              2007 i686 i686
Alert Count                   31
Line Numbers

Raw Audit Messages

avc: denied { read } for comm="generate_test.p" dev=dm-0 egid=48 euid=48
exe="/usr/bin/perl" exit=-13 fsgid=48 fsuid=48 gid=48 items=0 name="resolv.conf"
pid=4155 scontext=root:system_r:httpd_sys_script_t:s0 sgid=48
subj=root:system_r:httpd_sys_script_t:s0 suid=48 tclass=file
tcontext=system_u:object_r:net_conf_t:s0 tty=(none) uid=48

Version-Release number of selected component (if applicable):
This is perl, v5.8.8 built for i386-linux-thread-multi
Perl is runing as a module in apache 

How reproducible:

Steps to Reproduce:
1. Run perl script which needs to resolve domain name
Actual results:
Audit log fragment is listed below.

Expected results:
No error.

Additional info:
Jun 12 01:21:23 dhcp-lab-220 setroubleshoot:      SELinux is preventing the 
generate_test.p from using potentially mislabeled files resolv.conf 
(net_conf_t).      For complete SELinux messages

Comment 1 Daniel Walsh 2007-06-13 13:24:31 UTC
setsebool -P httpd_can_network_connect=1

Should fix this problem.

Comment 2 Ondrej Sevcik 2007-06-13 13:47:41 UTC
Thank you for you time, it fixed my problem. I'm sorry for flooding bugzilla...