Bug 444897

Summary: avc denied for NetworkManager and dhclient
Product: [Fedora] Fedora Reporter: Gene Czarcinski <gczarcinski>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED WORKSFORME QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: dcbw
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-03 02:43:30 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 235706    

Description Gene Czarcinski 2008-05-01 12:32:14 EDT
Description of problem:
Installed x86_64 f9-preview fresh on real hardware.  On 4/30/2008, updated from
"rawhide" ... this caused the release to become fedora 9 (rawhide).

When NetworkManager is started and the network is brought up I get:

type=AVC msg=audit(1209658063.020:64): avc:  denied  { write } for  pid=4525
comm="dhclient" name="dhclient-eth0.pid" dev=sda6 ino=799296
tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1209658063.020:64): arch=c000003e syscall=2 success=no
exit=-13 a0=7fff6bc46f24 a1=241 a2=1a4 a3=4000 items=0 ppid=1 pid=4525 auid=0
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1
comm="dhclient" exe="/sbin/dhclient" subj=unconfined_u:system_r:dhcpc_t:s0

The te file from audit2allow is:

module POL 1.0;

require {
	type var_run_t;
	type NetworkManager_t;
	type dhcpc_t;
	class file { read write };

#============= NetworkManager_t ==============
allow NetworkManager_t var_run_t:file read;

#============= dhcpc_t ==============
allow dhcpc_t var_run_t:file { read write };

Version-Release number of selected component (if applicable):
f9-preview updated to "current" rawhide (release Fedora 9 (rawhide))
selinux-policy-targetted is 3.3.1-42.fc9
NetworkManager* is 0.7.0-0.9.2.svn3614.fc9

How reproducible:
Comment 1 Daniel Walsh 2008-05-02 08:14:36 EDT
Some how this file got the wrong context on it

restorecon -R -v /var/run/dhclient*

Will fix.

Any idea how this might have happened?

Comment 2 Gene Czarcinski 2008-05-02 13:05:16 EDT
1. installed f9 preview from DVD
2. worked with newer versions of NetworkManager trying to figure out what was
wrong with it -- https://bugzilla.redhat.com/show_bug.cgi?id=444502
3. updated from rawhide which "caused" update to Fedora 9 (rawhide)
4. continued testing NetworkManager

Comment 3 Bill Nottingham 2008-05-02 16:56:47 EDT
I'm not seeing this on regular installs here (and I've done quite a few)

If you manually restorecon, does it reoccur?
Comment 4 Gene Czarcinski 2008-05-03 02:42:32 EDT
Good, bad of indifferent, I cannot repeat the problem right now so I will close
this report.

I have been updating to "current" updates so maybe something got fixed or changed.

If the problem reoccurs, I will reopen.