Bug 351211

Summary: denials from chkconfig
Product: [Fedora] Fedora Reporter: Jesse Keating <jkeating>
Component: dhcpAssignee: David Cantrell <dcantrell>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: dcantrell, katzj, notting
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-10-25 16:46:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 235703    
Attachments:
Description Flags
patch for this none

Description Jesse Keating 2007-10-24 19:57:06 UTC 
SELinux is preventing chkconfig (dhcpc_t) "search" to (user_home_dir_t).

Source Context:  system_u:system_r:dhcpc_t:s0
Target Context:  system_u:object_r:user_home_dir_t:s0
Target Objects:  None [ dir ]

avc: denied { search } for comm=chkconfig dev=dm-3 name=root pid=16995
scontext=system_u:system_r:dhcpc_t:s0 tclass=dir
tcontext=system_u:object_r:user_home_dir_t:s0
Comment 1 Jeremy Katz 2007-10-24 20:56:15 UTC 
When do you get this?
Comment 2 Jesse Keating 2007-10-24 21:15:38 UTC 
This happens if you run 'ifup' in /root/  (not sure about other locations,
didn't try them)
Comment 3 Bill Nottingham 2007-10-24 21:27:56 UTC 
dhclient-script uses chkconfig to attempt to do some deranged service restarting
w.r.t. ypbind. I'm debating whether it should be taken out and shot repeatedly.
Comment 4 Bill Nottingham 2007-10-24 21:30:53 UTC 
(i.e., don't change policy just yet)
Comment 5 Jeremy Katz 2007-10-25 03:50:20 UTC 
Oh, ick.  One vote for taking it out...
Comment 6 Jesse Keating 2007-10-25 13:03:34 UTC 
I do too.
Comment 7 Bill Nottingham 2007-10-25 15:26:22 UTC 
Created attachment 237481 [details]
patch for this

Here's a patch that:

- doesn't actually use chkconfig to check the runlevel, as it's superfluous
(you can just check if ypbind is running)
- uses coreutils readlink rather than busybox (!)
Comment 8 David Cantrell 2007-10-25 16:46:19 UTC 
Bill, thanks for the patch.  Really hate that script.  But it's slowly becoming
sane.  Or maybe I'm becoming insane.  I just recently gutted all of the dhcdbd
hacks in that script, so bring on more minus signs.