Bug 314531
| Summary: | NM SELinux denial - dhclient.leases mislabeled? | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Zack Cerza <zcerza> |
| Component: | NetworkManager | Assignee: | Dan Williams <dcbw> |
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | rawhide | CC: | dcantrell, dcbw, dwalsh |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-02-07 19:24:26 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
dwalsh; what's needed here? dhclient itself creates the leasefile, I assume it needs some smarts to relabel the leasefile when it creates it? NM tells dhclient _where_ to put the leases, but doesn't actually create the leasefile itself. Actually, this may not be related to NM, because NM will always spawn dhclient with a leasefile argument like "dhclient-eth0.leases", and shouldn't ever pass just 'dhclient.leases'. I assume dhclient is probably just trying to read that file by default or something. Dave? file_t indicates a file that never had a label on it. So this looks like you have run with selinux disabled. You can fix the labeling by executing fixfiles restore Of course NetworkManager should not segfault. There is a bug in libsemanage that has been preventing proper relabeling on autorelabel. |
Description of problem: I saw this around the same time that I found a NetworkManager segfault. I'll try to get a better backtrace on that and report it later. Summary SELinux is preventing access to files with the label, file_t. Detailed Description SELinux permission checks on files labeled file_t are being denied. file_t is the context the SELinux kernel gives to files that do not have a label. This indicates a serious labeling problem. No files on an SELinux box should ever be labeled file_t. If you have just added a new disk drive to the system you can relabel it using the restorecon command. Otherwise you should relabel the entire files system. Allowing Access You can execute the following command as root to relabel your computer system: "touch /.autorelabel; reboot" Additional Information Source Context system_u:system_r:dhcpc_t:s0 Target Context system_u:object_r:file_t:s0 Target Objects None [ file ] Affected RPM Packages dhclient-3.0.6-5.fc8 [application] Policy RPM selinux-policy-3.0.8-14.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.file Host Name megadoomer Platform Linux megadoomer 2.6.23-0.214.rc8.git2.fc8 #1 SMP Fri Sep 28 17:38:00 EDT 2007 i686 i686 Alert Count 1 First Seen Mon 01 Oct 2007 03:05:22 PM EDT Last Seen Mon 01 Oct 2007 03:05:22 PM EDT Local ID 279f88a9-aa51-4060-92b4-8c0fd1bb3bdc Line Numbers Raw Audit Messages avc: denied { read } for comm=dhclient dev=sda6 egid=0 euid=0 exe=/sbin/dhclient exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=dhclient.leases pid=10300 scontext=system_u:system_r:dhcpc_t:s0 sgid=0 subj=system_u:system_r:dhcpc_t:s0 suid=0 tclass=file tcontext=system_u:object_r:file_t:s0 tty=pts0 uid=0 Version-Release number of selected component (if applicable): NetworkManager-0.7.0-0.3.svn2914.fc8 selinux-policy-targeted-3.0.8-14.fc8 dhclient-3.0.6-5.fc8