Bug 351211

Summary: denials from chkconfig
Product: [Fedora] Fedora Reporter: Jesse Keating <jkeating>
Component: dhcpAssignee: David Cantrell <dcantrell>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: dcantrell, katzj, notting
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-10-25 12:46:19 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 235703    
Attachments:
Description Flags
patch for this none

Description Jesse Keating 2007-10-24 15:57:06 EDT
SELinux is preventing chkconfig (dhcpc_t) "search" to (user_home_dir_t).

Source Context:  system_u:system_r:dhcpc_t:s0
Target Context:  system_u:object_r:user_home_dir_t:s0
Target Objects:  None [ dir ]

avc: denied { search } for comm=chkconfig dev=dm-3 name=root pid=16995
scontext=system_u:system_r:dhcpc_t:s0 tclass=dir
tcontext=system_u:object_r:user_home_dir_t:s0
Comment 1 Jeremy Katz 2007-10-24 16:56:15 EDT
When do you get this?
Comment 2 Jesse Keating 2007-10-24 17:15:38 EDT
This happens if you run 'ifup' in /root/  (not sure about other locations,
didn't try them)
Comment 3 Bill Nottingham 2007-10-24 17:27:56 EDT
dhclient-script uses chkconfig to attempt to do some deranged service restarting
w.r.t. ypbind. I'm debating whether it should be taken out and shot repeatedly.
Comment 4 Bill Nottingham 2007-10-24 17:30:53 EDT
(i.e., don't change policy just yet)
Comment 5 Jeremy Katz 2007-10-24 23:50:20 EDT
Oh, ick.  One vote for taking it out...
Comment 6 Jesse Keating 2007-10-25 09:03:34 EDT
I do too.
Comment 7 Bill Nottingham 2007-10-25 11:26:22 EDT
Created attachment 237481 [details]
patch for this

Here's a patch that:

- doesn't actually use chkconfig to check the runlevel, as it's superfluous
(you can just check if ypbind is running)
- uses coreutils readlink rather than busybox (!)
Comment 8 David Cantrell 2007-10-25 12:46:19 EDT
Bill, thanks for the patch.  Really hate that script.  But it's slowly becoming
sane.  Or maybe I'm becoming insane.  I just recently gutted all of the dhcdbd
hacks in that script, so bring on more minus signs.