Bug 444907

Summary: SELinux is preventing touch (dhcpc_t) "write" to ./firestarter (var_lock_t).
Product: [Fedora] Fedora Reporter: Martin Naď <martin.nad89>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: low    
Version: 8CC: mschmidt
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-07 15:00:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Naď 2008-05-01 18:08:31 UTC
Description of problem:
I've AVC denied by firestarter when it's using dhcp

SELinux is preventing touch (dhcpc_t) "write" to ./firestarter (var_lock_t). 
The SELinux type var_lock_t, is a generic type for all files in the directory 
and very few processes (SELinux Domains) are allowed to write to this SELinux 
type. This type of denial usual indicates a mislabeled file. By default a file 
created in a directory has the gets the context of the parent directory, but 
SELinux policy has rules about the creation of directories, that say if a 
process running in one SELinux Domain (D1) creates a file in a directory with a 
particular SELinux File Context (F1) the file gets a different File Context 
(F2). The policy usually allows the SELinux Domain (D1) the ability to write, 
unlink, and append on (F2). But if for some reason a file (./firestarter) was 
created with the wrong context, this domain will be denied. The usual solution 
to this problem is to reset the file context on the target file, restorecon -v 
'./firestarter'. If the file context does not change from var_lock_t, then this 
is probably a bug in policy.

information audit
host=localhost.localdomain type=AVC msg=audit(1209650589.445:620): avc: denied 
{ write } for pid=4868 comm="touch" name="firestarter" dev=sda2 ino=430101 
scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:var_lock_t:s0 
tclass=file

host=localhost.localdomain type=SYSCALL msg=audit(1209650589.445:620): 
arch=c000003e syscall=2 success=no exit=-13 a0=7fff642d1d07 a1=941 a2=1b6 
a3=38265520cc items=0 ppid=4852 pid=4868 auid=4294967295 uid=0 gid=0 euid=0 
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="touch" exe="/bin/touch" 
subj=system_u:system_r:dhcpc_t:s0 key=(null) 

Version-Release number of selected component (if applicable):
selinux-policy-3.0.8-98.fc8
selinux-policy-targeted-3.0.8-98.fc8
firestarter-1.0.3-17.fc8

How reproducible:
sometimes
 
Additional info:

Comment 1 Michal Schmidt 2008-05-02 00:58:39 UTC
I can reproduce. When you set "IP address is assigned via DHCP" in 
firestarter's wizard, it hooks into the DHCP client by adding this line 
to /etc/dhclient-exit-hooks:
   sh /etc/firestarter/firestarter.sh start

The script is run in dhcpc_t domain and among other things it attempts to set 
the iptables rules. There are many AVC denials in permissive mode:


host=hammerfall type=AVC msg=audit(1209688871.380:542): avc: denied { create } 
for pid=1251 comm="iptables" 
scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 
tcontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=rawip_socket 

host=hammerfall type=AVC msg=audit(1209688871.397:544): avc: denied { setopt } 
for pid=1254 comm="iptables" lport=255 
scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 
tcontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=rawip_socket 

host=hammerfall type=AVC msg=audit(1209688871.380:543): avc: denied { getopt } 
for pid=1251 comm="iptables" lport=255 
scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 
tcontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=rawip_socket 

host=hammerfall type=AVC msg=audit(1209688871.368:541): avc: denied { 
execute } for pid=1251 comm="sh" name="iptables" dev=dm-0 ino=196685 
scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file

host=hammerfall type=AVC msg=audit(1209688871.368:541): avc: denied { read } 
for pid=1251 comm="sh" name="iptables" dev=dm-0 ino=196685 
scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file

host=hammerfall type=AVC msg=audit(1209688871.368:541): avc: denied { 
execute_no_trans } for pid=1251 comm="sh" path="/sbin/iptables" dev=dm-0 
ino=196685 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file

host=hammerfall type=AVC msg=audit(1209688878.722:548): avc: denied { write } 
for pid=1539 comm="touch" name="firestarter" dev=dm-2 ino=688200 
scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 
tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file

host=hammerfall type=AVC msg=audit(1209688879.265:550): avc: denied { write } 
for pid=1524 comm="sh" scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file 

host=hammerfall type=AVC msg=audit(1209688879.264:549): avc: denied { search } 
for pid=1524 comm="sh" scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir

host=hammerfall type=AVC msg=audit(1209688879.286:551): avc: denied { read } 
for pid=1524 comm="sh" scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file 

Comment 2 Daniel Walsh 2008-05-07 15:00:37 UTC
Fixed in selinux-policy-3.3.1-47