Bug 562338
Summary: | SELinux is preventing /bin/bash "write" access. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | paul <paullee0> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 12 | CC: | carlg, dwalsh, mgrepl, paullee0 |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | setroubleshoot_trace_hash:5c509c264b8419ad16f93d40aee6792fe95a3327fc88ebfcd1eb1fd74e4a808b | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-04-04 20:59:29 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
paul
2010-02-06 01:27:25 UTC
This looks like a leak. /bin/bash and dhclient-script would not write to this. Which application are you using to bring up your network? I should have written a script /etc/dhcp/dhclient-eth1-up-hooks which should run whenever dhclient update the ip. This in turn run a script that contain iptables command to setup my firewall, extracts:- ... $IPTABLES -A INPUT -p udp -d $EXTIP --dport 4500 -j ACCEPT $IPTABLES -A INPUT -p 50 -d $EXTIP -j ACCEPT $IPTABLES -A INPUT -p 51 -d $EXTIP -j ACCEPT ... Hope this help. paul Does everything work other then generating this AVC message? No. Iptables command was denied... e.g. ... /etc/rc.firewall-iptables-stronger_P226g_f13: line 49: /sbin/iptables: Permission denied /etc/rc.firewall-iptables-stronger_P226g_f13: line 50: /sbin/iptables: Permission denied /etc/rc.firewall-iptables-stronger_P226g_f13: line 52: /sbin/iptables: Permission denied /etc/rc.firewall-iptables-stronger_P226g_f13: line 54: /sbin/iptables: Permission denied To get this to work, you need to add a local policy module cat > mydhcpc.te << _EOF policy_module(mydhcp, 1.0) require { type dhcpc_t; } iptables_domtrans(dhcpc_t) __EOF make -f /usr/share/selinux/devel/Makefile semodule -i mydhcpc.pp Which will allow your configuration to work. |