Bug 528398

Summary: SELinux is preventing /sbin/dhclient "getcap" access.
Product: [Fedora] Fedora Reporter: Thomas Moschny <thomas.moschny>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED WORKSFORME QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:b032246dc6d282b522e9600a4a43225be791eeeb640cf54a0891369a37da81de
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-10-12 20:55:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Thomas Moschny 2009-10-12 00:37:57 UTC 
Zusammenfassung:

SELinux is preventing /sbin/dhclient "getcap" access.

Detaillierte Beschreibung:

SELinux denied access requested by dhclient. It is not expected that this access
is required by dhclient and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Zugriff erlauben:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Zusätzliche Informationen:

Quellkontext                  unconfined_u:system_r:dhcpc_t:s0
Zielkontext                   unconfined_u:system_r:dhcpc_t:s0
Zielobjekte                   None [ process ]
Quelle                        dhclient
Quellen-Pfad                  /sbin/dhclient
Port                          <Unbekannt>
Host                          (removed)
Quellen-RPM-Pakete            dhclient-4.1.0p1-11.fc12
Ziel-RPM-Pakete               
RPM-Richtlinie                selinux-policy-3.6.32-24.fc12
SELinux aktiviert             True
Richtlinienversion            targeted
MLS aktiviert                 True
Enforcing-Modus               Enforcing
Plugin-Name                   catchall
Hostname                      (removed)
Plattform                     Linux (removed)
                              2.6.31.1-56.fc12.x86_64 #1 SMP Tue Sep 29 16:16:22
                              EDT 2009 x86_64 x86_64
Anzahl der Alarme             3
Zuerst gesehen                Mo 12 Okt 2009 06:28:49 CEST
Zuletzt gesehen               Mo 12 Okt 2009 02:37:07 CEST
Lokale ID                     28c67916-e4be-469f-ba84-828bd5401639
Zeilennummern                 

Raw-Audit-Meldungen           

node=(removed) type=AVC msg=audit(1255307827.229:29787): avc:  denied  { getcap } for  pid=6175 comm="dhclient" scontext=unconfined_u:system_r:dhcpc_t:s0 tcontext=unconfined_u:system_r:dhcpc_t:s0 tclass=process

node=(removed) type=SYSCALL msg=audit(1255307827.229:29787): arch=c000003e syscall=125 success=no exit=-13 a0=7f7ebbbe26f4 a1=7f7ebbbe26fc a2=1 a3=7fff62964f70 items=0 ppid=6118 pid=6175 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="dhclient" exe="/sbin/dhclient" subj=unconfined_u:system_r:dhcpc_t:s0 key=(null)



Hash String generated from  selinux-policy-3.6.32-24.fc12,catchall,dhclient,dhcpc_t,dhcpc_t,process,getcap
audit2allow suggests:

#============= dhcpc_t ==============
allow dhcpc_t self:process getcap;
Comment 1 Daniel Walsh 2009-10-12 13:33:11 UTC 
Looks like this should be in this policy.  Could you make sure your policy successfully installed.

yum reinstall selinux-policy-targeted


Make sure nothing breaks on the install.
Comment 2 Daniel Walsh 2009-10-12 13:33:47 UTC 
*** Bug 528399 has been marked as a duplicate of this bug. ***
Comment 3 Thomas Moschny 2009-10-12 20:55:49 UTC 
Ok, after reinstalling the policy and relabeling everything, the alert is not shown anymore.