Bug 444907
Summary: | SELinux is preventing touch (dhcpc_t) "write" to ./firestarter (var_lock_t). | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Martin Naď <martin.nad89> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED RAWHIDE | QA Contact: | Ben Levenson <benl> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 8 | CC: | mschmidt |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-05-07 15:00:37 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Martin Naď
2008-05-01 18:08:31 UTC
I can reproduce. When you set "IP address is assigned via DHCP" in firestarter's wizard, it hooks into the DHCP client by adding this line to /etc/dhclient-exit-hooks: sh /etc/firestarter/firestarter.sh start The script is run in dhcpc_t domain and among other things it attempts to set the iptables rules. There are many AVC denials in permissive mode: host=hammerfall type=AVC msg=audit(1209688871.380:542): avc: denied { create } for pid=1251 comm="iptables" scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=rawip_socket host=hammerfall type=AVC msg=audit(1209688871.397:544): avc: denied { setopt } for pid=1254 comm="iptables" lport=255 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=rawip_socket host=hammerfall type=AVC msg=audit(1209688871.380:543): avc: denied { getopt } for pid=1251 comm="iptables" lport=255 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=rawip_socket host=hammerfall type=AVC msg=audit(1209688871.368:541): avc: denied { execute } for pid=1251 comm="sh" name="iptables" dev=dm-0 ino=196685 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file host=hammerfall type=AVC msg=audit(1209688871.368:541): avc: denied { read } for pid=1251 comm="sh" name="iptables" dev=dm-0 ino=196685 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file host=hammerfall type=AVC msg=audit(1209688871.368:541): avc: denied { execute_no_trans } for pid=1251 comm="sh" path="/sbin/iptables" dev=dm-0 ino=196685 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file host=hammerfall type=AVC msg=audit(1209688878.722:548): avc: denied { write } for pid=1539 comm="touch" name="firestarter" dev=dm-2 ino=688200 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file host=hammerfall type=AVC msg=audit(1209688879.265:550): avc: denied { write } for pid=1524 comm="sh" scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file host=hammerfall type=AVC msg=audit(1209688879.264:549): avc: denied { search } for pid=1524 comm="sh" scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir host=hammerfall type=AVC msg=audit(1209688879.286:551): avc: denied { read } for pid=1524 comm="sh" scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file Fixed in selinux-policy-3.3.1-47 |