Bug 153244
| Summary: | SELinux warnings, maybe DHCP-related | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Florin Andrei <florin> |
| Component: | dhcp | Assignee: | Jason Vas Dias <jvdias> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4 | CC: | drepper, dwalsh |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Current | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2005-09-27 20:38:23 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I'm sorry, i'm confused, i was thinking of another bug - this is not happening intermitently, it happens every single time, when the system boots up. Sorry for the mistake. There are also some SELinux messages when shutting down, but those happen after syslog is turned off, so i'm not sure how to capture them. BTW, SELinux is in "permissive" mode. Also see bug #153245 - they seem related. The problem here is that dhclient is attempting to run restorecon and it should not. The file labeling is being taken care of by SELinux. Restorecon has been removed from the latest rawhide dhclient scripts. dhcp-3.0.2-8 now has a workaround that avoids these SELinux problems.
The problem was that when dhclient runs during boot in context
'system_u:object_r:dhcpc_exec_t'
it cannot:
o modify ANY configuration files
(/etc/resolv.conf, /etc/yp.conf, /etc/ntp.conf,
/etc/ntp/step-tickers)
o run /sbin/restorecon
o run /usr/sbin/hostname or /usr/sbin/domainname
For some reason, when dhclient is run out of the boot sequence,
eg. by root command "service network restart", then it is allowed
to modify the configuration files and run restorecon and
{host,domain}name. This may have something to do with the context
of /etc/sysconfig/network-scripts/ifup-eth, from which dhclient is
run, being 'system_u:object_r:etc_t' and not /sbin/ifup's
system_u:object_r:sbin_t .
The temporary workaround, until SELinux policy is fixed, is to
# chcon system_u:object_r:sbin_t /sbin/dhclient*
in the dhclient-3.0.2-8.*.rpm %post script.
The "restorecon"s are also restored in this version and now work.
dhcp-3.0.8 will be in rawhide20050419 - meanwhile, you can download it from: http://people.redhat.com/~jvdias/DHCP/FC4 |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050323 Firefox/1.0.2 Fedora/1.0.2-1.3.1 Description of problem: AthlonXP system, multiple interfaces, eth0 is on DHCP, the rest are static (but disabled for the moment, so they don't count). When booting up the system, sometimes i see this in the logs: ################################################### Apr 3 15:48:48 demo kernel: SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts Apr 3 15:48:48 demo kernel: ip_tables: (C) 2000-2002 Netfilter core team Apr 3 15:48:48 demo kernel: ip_conntrack version 2.1 (3967 buckets, 31736 max) - 272 bytes per conntrack Apr 3 15:48:48 demo kernel: e100: eth0: e100_watchdog: link up, 100Mbps, half-duplex Apr 3 15:48:48 demo kernel: audit(1112568526.223:0): avc: denied { read } for pid=1497 exe=/bin/cp name=config dev=hda2 ino=2261414 scontext=user_u:system_r:dhcpc_t tcontext=user_u:object_r:selinux_config_t tclass=file Apr 3 15:48:48 demo kernel: audit(1112568526.223:0): avc: denied { getattr } for pid=1497 exe=/bin/cp path=/etc/selinux/config dev=hda2 ino=2261414 scontext=user_u:system_r:dhcpc_t tcontext=user_u:object_r:selinux_config_t tclass=file Apr 3 15:48:48 demo kernel: audit(1112568526.278:0): avc: denied { search } for pid=1504 exe=/sbin/restorecon name=contexts dev=hda2 ino=2261392 scontext=user_u:system_r:dhcpc_t tcontext=system_u:object_r:default_context_t tclass=dir Apr 3 15:48:48 demo kernel: audit(1112568526.278:0): avc: denied { search } for pid=1504 exe=/sbin/restorecon name=files dev=hda2 ino=2261398 scontext=user_u:system_r:dhcpc_t tcontext=system_u:object_r:file_context_t tclass=dir Apr 3 15:48:48 demo kernel: audit(1112568526.278:0): avc: denied { read } for pid=1504 exe=/sbin/restorecon name=file_contexts dev=hda2 ino=2261397 scontext=user_u:system_r:dhcpc_t tcontext=system_u:object_r:file_context_t tclass=file Apr 3 15:48:48 demo kernel: audit(1112568526.279:0): avc: denied { getattr } for pid=1504 exe=/sbin/restorecon path=/etc/selinux/targeted/contexts/files/file_contexts dev=hda2 ino=2261397 scontext=user_u:system_r:dhcpc_t tcontext=system_u:object_r:file_context_t tclass=file Apr 3 15:48:48 demo kernel: audit(1112568526.286:0): avc: denied { search } for pid=1504 exe=/sbin/restorecon name=/ dev=selinuxfs ino=252 scontext=user_u:system_r:dhcpc_t tcontext=system_u:object_r:security_t tclass=dir Apr 3 15:48:48 demo kernel: audit(1112568526.286:0): avc: denied { read write } for pid=1504 exe=/sbin/restorecon name=context dev=selinuxfs ino=5 scontext=user_u:system_r:dhcpc_t tcontext=system_u:object_r:security_t tclass=file Apr 3 15:48:48 demo kernel: audit(1112568526.286:0): avc: denied { check_context } for pid=1504 exe=/sbin/restorecon scontext=user_u:system_r:dhcpc_t tcontext=system_u:object_r:security_t tclass=security Apr 3 15:48:48 demo kernel: tun: Universal TUN/TAP device driver, 1.6 Apr 3 15:48:48 demo kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk> ################################################### Version-Release number of selected component (if applicable): selinux-policy-targeted-1.23.5-3 How reproducible: Sometimes Steps to Reproduce: 1.see above 2. 3. Additional info: