Bug 175164

Summary: dhclient / selinux avc: denied
Product: [Fedora] Fedora Reporter: p thompson <pt>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-01-02 17:31:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description p thompson 2005-12-07 04:19:44 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc4 Firefox/1.0.7

Description of problem:
I make use of the option in /sbin/dhclient-scripts for a /etc/dhclient-exit-hooks file, and I seem to get a lot of these while the exit hooks fail to run.
Dec  6 22:05:33 monotheletisia kernel: audit(1133928058.758:65): avc:  denied  { search } for  pid=1446 comm="dhclient-script" name="usr" dev=sdg2 ino=81601 scontext=system_u:system_r:dhcpc_t tcontext=user_u:object_r:file_t tclass=dir
Dec  6 22:05:33 monotheletisia kernel: audit(1133928058.770:66): avc:  denied  { search } for  pid=1450 comm="dhclient-script" name="usr" dev=sdg2 ino=81601 scontext=system_u:system_r:dhcpc_t tcontext=user_u:object_r:file_t tclass=dir
Dec  6 22:05:33 monotheletisia kernel: audit(1133928058.774:71): avc:  denied  { search } for  pid=1451 comm="dhclient-script" name="usr" dev=sdg2 ino=81601 scontext=system_u:system_r:dhcpc_t tcontext=user_u:object_r:file_t tclass=dir
Dec  6 22:05:33 monotheletisia kernel: audit(1133928058.778:76): avc:  denied  { search } for  pid=1453 comm="dhclient-script" name="usr" dev=sdg2 ino=81601 scontext=system_u:system_r:dhcpc_t tcontext=user_u:object_r:file_t tclass=dir
Dec  6 22:05:33 monotheletisia kernel: audit(1133928058.782:81): avc:  denied  { search } for  pid=1446 comm="dhclient-script" name="usr" dev=sdg2 ino=81601 scontext=system_u:system_r:dhcpc_t tcontext=user_u:object_r:file_t tclass=dir
Dec  6 22:05:33 monotheletisia kernel: audit(1133928058.782:82): avc:  denied  { search } for  pid=1446 comm="dhclient-script" name="usr" dev=sdg2 ino=81601 scontext=system_u:system_r:dhcpc_t tcontext=user_u:object_r:file_t tclass=dir
Dec  6 22:05:33 monotheletisia kernel: audit(1133928058.782:83): avc:  denied  { search } for  pid=1446 comm="dhclient-script" name="usr" dev=sdg2 ino=81601 scontext=system_u:system_r:dhcpc_t tcontext=user_u:object_r:file_t tclass=dir
Dec  6 22:05:33 monotheletisia kernel: audit(1133928058.786:84): avc:  denied  { search } for  pid=1455 comm="dhclient-script" name="usr" dev=sdg2 ino=81601 scontext=system_u:system_r:dhcpc_t tcontext=user_u:object_r:file_t tclass=dir
Dec  6 22:05:34 monotheletisia kernel: audit(1133928058.786:89): avc:  denied  { search } for  pid=1456 comm="dhclient-script" name="usr" dev=sdg2 ino=81601 scontext=system_u:system_r:dhcpc_t tcontext=user_u:object_r:file_t tclass=dir
Dec  6 22:05:34 monotheletisia kernel: audit(1133928058.794:94): avc:  denied  { search } for  pid=1458 comm="dhclient-script" name="usr" dev=sdg2 ino=81601 scontext=system_u:system_r:dhcpc_t tcontext=user_u:object_r:file_t tclass=dir
Dec  6 22:05:34 monotheletisia kernel: audit(1133928058.794:99): avc:  denied  { search } for  pid=1446 comm="dhclient-script" name="usr" dev=sdg2 ino=81601 scontext=system_u:system_r:dhcpc_t tcontext=user_u:object_r:file_t tclass=dir
Dec  6 22:05:34 monotheletisia kernel: audit(1133928058.794:100): avc:  denied  { search } for  pid=1446 comm="dhclient-script" name="usr" dev=sdg2 ino=81601 scontext=system_u:system_r:dhcpc_t tcontext=user_u:object_r:file_t tclass=dir
Dec  6 22:05:34 monotheletisia kernel: audit(1133928058.794:101): avc:  denied  { search } for  pid=1446 comm="dhclient-script" name="usr" dev=sdg2 ino=81601 scontext=system_u:system_r:dhcpc_t tcontext=user_u:object_r:file_t tclass=dir
Dec  6 22:05:34 monotheletisia kernel: audit(1133928058.798:102): avc:  denied  { search } for  pid=1459 comm="dhclient-script" name="usr" dev=sdg2 ino=81601 scontext=system_u:system_r:dhcpc_t tcontext=user_u:object_r:file_t tclass=dir
Dec  6 22:05:34 monotheletisia kernel: audit(1133928058.862:119): avc:  denied  { search } for  pid=1446 comm="dhclient-script" name="usr" dev=sdg2 ino=81601 scontext=system_u:system_r:dhcpc_t tcontext=user_u:object_r:file_t tclass=dir
Dec  6 22:05:36 monotheletisia kernel: audit(1133928059.570:124): avc:  denied  { search } for  pid=1480 comm="dhclient-script" name="usr" dev=sdg2 ino=81601 scontext=system_u:system_r:dhcpc_t tcontext=user_u:object_r:file_t tclass=dir
Dec  6 22:05:36 monotheletisia kernel: audit(1133928059.654:129): avc:  denied  { search } for  pid=1446 comm="dhclient-script" name="usr" dev=sdg2 ino=81601 scontext=system_u:system_r:dhcpc_t tcontext=user_u:object_r:file_t tclass=dir
Dec  6 22:05:37 monotheletisia kernel: audit(1133928059.658:134): avc:  denied  { search } for  pid=1446 comm="dhclient-script" name="usr" dev=sdg2 ino=81601 scontext=system_u:system_r:dhcpc_t tcontext=user_u:object_r:file_t tclass=dir
Dec  6 22:05:37 monotheletisia kernel: audit(1133928059.658:135): avc:  denied  { search } for  pid=1446 comm="dhclient-script" name="usr" dev=sdg2 ino=81601 scontext=system_u:system_r:dhcpc_t tcontext=user_u:object_r:file_t tclass=dir
Dec  6 22:05:37 monotheletisia kernel: audit(1133928059.658:136): avc:  denied  { search } for  pid=1446 comm="dhclient-script" name="usr" dev=sdg2 ino=81601 scontext=system_u:system_r:dhcpc_t tcontext=user_u:object_r:file_t tclass=dir
Dec  6 22:05:41 monotheletisia kernel: audit(1133928313.466:137): avc:  denied  { write } for  pid=1966 comm="dhclient-script" name="resolv.conf" dev=sdg2 ino=539441 scontext=system_u:system_r:dhcpc_t tcontext=root:object_r:etc_t tclass=file
Dec  6 22:05:41 monotheletisia kernel: audit(1133928313.466:138): avc:  denied  { write } for  pid=1966 comm="dhclient-script" name="resolv.conf" dev=sdg2 ino=539441 scontext=system_u:system_r:dhcpc_t tcontext=root:object_r:etc_t tclass=file


Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.27.1-2.16

How reproducible:
Always

Steps to Reproduce:
1. operate dhclient
2.
3.
  

Additional info:

ls -Z /etc/dhclient-exit-hooks /sbin/dhclient-script /root/dhmail.pl
-rwxr-xr-x  root     root     system_u:object_r:dhcpc_exec_t   /etc/dhclient-exit-hooks
-rwxrwxr-x  root     thompson system_u:object_r:dhcpc_exec_t   /root/dhmail.pl
-rwxr-xr-x  root     root     system_u:object_r:dhcpc_exec_t   /sbin/dhclient-script
-rw-r--r--  root     root     system_u:object_r:net_conf_t     /etc/resolv.conf

I just changed the owner of dhmail.pl to root, I will see if that helps anything.
Comment 1 Daniel Walsh 2005-12-07 17:14:47 UTC 
Your /usr partition is mislabled.  Please
touch /.autorelabel
reboot