Bug 153244

Summary: SELinux warnings, maybe DHCP-related
Product: [Fedora] Fedora Reporter: Florin Andrei <florin>
Component: dhcpAssignee: Jason Vas Dias <jvdias>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4CC: drepper.fsp, dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-09-27 16:38:23 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description Florin Andrei 2005-04-03 18:55:28 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050323 Firefox/1.0.2 Fedora/1.0.2-1.3.1

Description of problem:
AthlonXP system, multiple interfaces, eth0 is on DHCP, the rest are static (but disabled for the moment, so they don't count).
When booting up the system, sometimes i see this in the logs:

###################################################
Apr  3 15:48:48 demo kernel: SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts
Apr  3 15:48:48 demo kernel: ip_tables: (C) 2000-2002 Netfilter core team
Apr  3 15:48:48 demo kernel: ip_conntrack version 2.1 (3967 buckets, 31736 max) - 272 bytes per conntrack
Apr  3 15:48:48 demo kernel: e100: eth0: e100_watchdog: link up, 100Mbps, half-duplex
Apr  3 15:48:48 demo kernel: audit(1112568526.223:0): avc:  denied  { read } for  pid=1497 exe=/bin/cp name=config dev=hda2 ino=2261414 scontext=user_u:system_r:dhcpc_t tcontext=user_u:object_r:selinux_config_t tclass=file
Apr  3 15:48:48 demo kernel: audit(1112568526.223:0): avc:  denied  { getattr } for  pid=1497 exe=/bin/cp path=/etc/selinux/config dev=hda2 ino=2261414 scontext=user_u:system_r:dhcpc_t tcontext=user_u:object_r:selinux_config_t tclass=file
Apr  3 15:48:48 demo kernel: audit(1112568526.278:0): avc:  denied  { search } for  pid=1504 exe=/sbin/restorecon name=contexts dev=hda2 ino=2261392 scontext=user_u:system_r:dhcpc_t tcontext=system_u:object_r:default_context_t tclass=dir
Apr  3 15:48:48 demo kernel: audit(1112568526.278:0): avc:  denied  { search } for  pid=1504 exe=/sbin/restorecon name=files
dev=hda2 ino=2261398 scontext=user_u:system_r:dhcpc_t tcontext=system_u:object_r:file_context_t tclass=dir
Apr  3 15:48:48 demo kernel: audit(1112568526.278:0): avc:  denied  { read } for  pid=1504 exe=/sbin/restorecon name=file_contexts dev=hda2 ino=2261397 scontext=user_u:system_r:dhcpc_t tcontext=system_u:object_r:file_context_t tclass=file
Apr  3 15:48:48 demo kernel: audit(1112568526.279:0): avc:  denied  { getattr } for  pid=1504 exe=/sbin/restorecon path=/etc/selinux/targeted/contexts/files/file_contexts dev=hda2 ino=2261397 scontext=user_u:system_r:dhcpc_t tcontext=system_u:object_r:file_context_t tclass=file
Apr  3 15:48:48 demo kernel: audit(1112568526.286:0): avc:  denied  { search } for  pid=1504 exe=/sbin/restorecon name=/ dev=selinuxfs ino=252 scontext=user_u:system_r:dhcpc_t tcontext=system_u:object_r:security_t tclass=dir
Apr  3 15:48:48 demo kernel: audit(1112568526.286:0): avc:  denied  { read write } for  pid=1504 exe=/sbin/restorecon name=context dev=selinuxfs ino=5 scontext=user_u:system_r:dhcpc_t tcontext=system_u:object_r:security_t tclass=file
Apr  3 15:48:48 demo kernel: audit(1112568526.286:0): avc:  denied  { check_context } for  pid=1504 exe=/sbin/restorecon scontext=user_u:system_r:dhcpc_t tcontext=system_u:object_r:security_t tclass=security
Apr  3 15:48:48 demo kernel: tun: Universal TUN/TAP device driver, 1.6
Apr  3 15:48:48 demo kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
###################################################

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.23.5-3

How reproducible:
Sometimes

Steps to Reproduce:
1.see above
2.
3.
  

Additional info:
Comment 1 Florin Andrei 2005-04-03 18:58:14 EDT
I'm sorry, i'm confused, i was thinking of another bug - this is not happening
intermitently, it happens every single time, when the system boots up.
Sorry for the mistake.

There are also some SELinux messages when shutting down, but those happen after
syslog is turned off, so i'm not sure how to capture them.
Comment 2 Florin Andrei 2005-04-03 19:04:32 EDT
BTW, SELinux is in "permissive" mode.
Comment 3 Florin Andrei 2005-04-03 19:05:43 EDT
Also see bug #153245 - they seem related.
Comment 4 Daniel Walsh 2005-04-04 09:37:52 EDT
The problem here is that dhclient is attempting to run restorecon and it should
not.  The file labeling is being taken care of by SELinux.
Comment 9 Daniel Walsh 2005-04-15 23:33:59 EDT
Restorecon has been removed from the latest rawhide dhclient scripts.
Comment 11 Jason Vas Dias 2005-04-18 14:19:56 EDT
 dhcp-3.0.2-8 now has a workaround that avoids these SELinux problems.
 The problem was that when dhclient runs during boot in context
     'system_u:object_r:dhcpc_exec_t'
 it cannot:
    o modify ANY configuration files
      (/etc/resolv.conf, /etc/yp.conf, /etc/ntp.conf, 
       /etc/ntp/step-tickers)
    o run /sbin/restorecon
    o run /usr/sbin/hostname or /usr/sbin/domainname
 For some reason, when dhclient is run out of the boot sequence,
 eg. by root command "service network restart", then it is allowed
 to modify the configuration files and run restorecon and 
 {host,domain}name. This may have something to do with the context
 of /etc/sysconfig/network-scripts/ifup-eth, from which dhclient is
 run, being 'system_u:object_r:etc_t' and not /sbin/ifup's 
 system_u:object_r:sbin_t .

 The temporary workaround, until SELinux policy is fixed, is to
    # chcon system_u:object_r:sbin_t /sbin/dhclient*
 in the dhclient-3.0.2-8.*.rpm %post script.
 The "restorecon"s are also restored in this version and now work.
  
 
Comment 12 Jason Vas Dias 2005-04-18 14:27:11 EDT
 dhcp-3.0.8 will be in rawhide20050419 - meanwhile, you can download it
 from:
  http://people.redhat.com/~jvdias/DHCP/FC4