Bug 562338

Summary: SELinux is preventing /bin/bash "write" access.
Product: [Fedora] Fedora Reporter: paul <paullee0>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: carlg, dwalsh, mgrepl, paullee0
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:5c509c264b8419ad16f93d40aee6792fe95a3327fc88ebfcd1eb1fd74e4a808b
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-04-04 20:59:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description paul 2010-02-06 01:27:25 UTC 
Summary:

SELinux is preventing /bin/bash "write" access.

Detailed Description:

SELinux denied access requested by dhclient-script. It is not expected that this
access is required by dhclient-script and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
Target Context                system_u:object_r:sysctl_net_t:s0
Target Objects                None [ file ]
Source                        dhclient-script
Source Path                   /bin/bash
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           bash-4.0.35-2.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-78.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31.12-174.2.3.fc12.i686.PAE #1
                              SMP Mon Jan 18 20:06:44 UTC 2010 i686 i686
Alert Count                   4
First Seen                    Tue 02 Feb 2010 09:48:40 PM HKT
Last Seen                     Thu 04 Feb 2010 09:58:20 PM HKT
Local ID                      91a42de2-08e5-48a8-89c1-b12e4817ad05
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1265291900.244:16): avc:  denied  { write } for  pid=1694 comm="dhclient-script" scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1265291900.244:16): arch=40000003 syscall=5 success=no exit=-13 a0=88a86d0 a1=8201 a2=0 a3=ffffffff items=0 ppid=1677 pid=1694 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="dhclient-script" exe="/bin/bash" subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.32-78.fc12,catchall,dhclient-script,dhcpc_t,sysctl_net_t,file,write
audit2allow suggests:

#============= dhcpc_t ==============
allow dhcpc_t sysctl_net_t:file write;
Comment 1 Daniel Walsh 2010-02-08 18:48:12 UTC 
This looks like a leak.  /bin/bash and dhclient-script would not write to this.  Which application are you using to bring up your network?
Comment 2 paul 2010-02-10 12:48:14 UTC 
I should have written a script /etc/dhcp/dhclient-eth1-up-hooks which should run whenever dhclient update the ip.

This in turn run a script that contain iptables command to setup my firewall, extracts:-
...
$IPTABLES -A INPUT -p udp -d $EXTIP --dport 4500 -j ACCEPT
$IPTABLES -A INPUT -p 50 -d $EXTIP -j ACCEPT
$IPTABLES -A INPUT -p 51 -d $EXTIP -j ACCEPT
...

Hope this help.

paul
Comment 3 Daniel Walsh 2010-02-10 16:14:33 UTC 
Does everything work other then generating this AVC message?
Comment 4 paul 2010-07-18 03:47:46 UTC 
No.  Iptables command was denied...

e.g.
...
/etc/rc.firewall-iptables-stronger_P226g_f13: line 49: /sbin/iptables: Permission denied
/etc/rc.firewall-iptables-stronger_P226g_f13: line 50: /sbin/iptables: Permission denied
/etc/rc.firewall-iptables-stronger_P226g_f13: line 52: /sbin/iptables: Permission denied
/etc/rc.firewall-iptables-stronger_P226g_f13: line 54: /sbin/iptables: Permission denied
Comment 5 Daniel Walsh 2010-07-19 15:12:22 UTC 
To get this to work, you need to add a local policy module

cat > mydhcpc.te << _EOF

policy_module(mydhcp, 1.0)

require {
        type dhcpc_t;
}

iptables_domtrans(dhcpc_t)
__EOF

make -f /usr/share/selinux/devel/Makefile
semodule -i mydhcpc.pp

Which will allow your configuration to work.