Bug 228260

Description of problem:

Resolv.conf was not updated by enabling a network adapter in system-config-netork.

mv /etc/resolv.conf /etc/resolv.conf.current
ifdown eth1
ifup eth1

worked ok. 

Version-Release number of selected component (if applicable):

selinux-policy-2.5.2-5.fc7
selinux-policy-targeted-2.5.2-5.fc7

It is not a big issue to me, just want to let you know.

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Summary
    SELinux is preventing dhclient-script (dhcpc_t) "write" to resolv.conf
    (etc_t).

Detailed Description
    SELinux is preventing dhclient-script (dhcpc_t) "write" to resolv.conf
    (etc_t). The SELinux type %TARGET_TYPE, is a generic type for all files in
    the directory and very few processes (SELinux Domains) are allowed to write
    to this SELinux type.  This type of denial usual indicates a mislabeled
    file.  By default a file created in a directory has the gets the context of
    the parent directory, but SELinux policy has rules about the creation of
    directories, that say if a process running in one SELinux Domain (D1)
    creates a file in a directory with a particular SELinux File Context (F1)
    the file gets a different File Context (F2).  The policy usually allows the
    SELinux Domain (D1) the ability to write or append on (F2).  But if for some
    reason a file (resolv.conf) was created with the wrong context, this domain
    will be denied.  The usual solution to this problem is to reset the file
    context on the target file, restorecon -v resolv.conf.  If the file context
    does not change from etc_t, then this is probably a bug in policy.  Please
    file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against the
    selinux-policy package. If it does change, you can try your application
    again to see if it works.  The file context could have been mislabeled by
    editing the file or moving the file from a different directory, if the file
    keeps getting mislabeled, check the init scripts to see if they are doing
    something to mislabel the file.

Allowing Access
    You can attempt to fix file context by executing restorecon -v resolv.conf

    The following command will allow this access:
    restorecon resolv.conf

Additional Information        

Source Context                system_u:system_r:dhcpc_t:s0
Target Context                system_u:object_r:etc_t:s0
Target Objects                resolv.conf [ file ]
Affected RPM Packages         
Policy RPM                    selinux-policy-2.5.2-5.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.mislabeled_file
Host Name                     localhost
Platform                      Linux localhost 2.6.20-1.2922.fc7 #1 SMP Sun Feb 4
                              18:53:10 EST 2007 i686 i686
Alert Count                   4
Line Numbers                  

Raw Audit Messages            

avc: denied { write } for comm="dhclient-script" dev=sda5 egid=0 euid=0
exe="/bin/bash" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="resolv.conf"
pid=3495 scontext=system_u:system_r:dhcpc_t:s0 sgid=0
subj=system_u:system_r:dhcpc_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:etc_t:s0 tty=(none) uid=0