Bug 645969

Summary: dhclient fails due to SElinux problems: No network
Product: [Fedora] Fedora Reporter: Horst H. von Brand <vonbrand>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: low    
Version: rawhideCC: atkac, dwalsh, jpopelka, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-10-25 10:27:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Output of sealert none

Description Horst H. von Brand 2010-10-23 11:20:23 UTC 
Created attachment 455241 [details]
Output of sealert

Description of problem:
No WiFi network, the card fails to associate. In /var/log/messages I see:

Oct 22 21:21:22 netbook1 setroubleshoot: SELinux is preventing /sbin/dhclient "s
earch" access on /etc/pki. For complete SELinux messages. run sealert -l e6e1b1a
d-3e29-4584-87f4-6788c050a388

Disbling SElinux (boot with "selinux=0" as kernel parameter) gets network working. Downgraded to dhclient-4.2.0-12.fc15.x86_64, now it works again.

Version-Release number of selected component (if applicable):
dhclient-4.2.0-15.fc15.x86_64
selinux-policy-targeted-3.9.7-4.fc15.noarch
selinux-policy-3.9.7-4.fc15.noarch

How reproducible:
Always

Steps to Reproduce:
1. Start WiFi via NetworkManager
2.
3.
  
Actual results:
No network. Trying by hand ("iwconfig wlan0 essid ...") just gets that the card doesn't associate.

Expected results:


Additional info:
Comment 1 Jiri Popelka 2010-10-25 08:49:40 UTC 
Adam, do you have any idea why dhclient-4.2.0-15.fc15 needs access on /etc/pki ?
Comment 2 Jiri Popelka 2010-10-25 09:19:27 UTC 
http://lists.fedoraproject.org/pipermail/devel/2010-October/144615.html
Comment 3 Adam Tkac 2010-10-25 09:56:51 UTC 
(In reply to comment #1)
> Adam, do you have any idea why dhclient-4.2.0-15.fc15 needs access on /etc/pki
> ?

Let me check it.
Comment 4 Adam Tkac 2010-10-25 10:21:39 UTC 
(In reply to comment #1)
> Adam, do you have any idea why dhclient-4.2.0-15.fc15 needs access on /etc/pki
> ?

Previously dhclient used bundled bind and bind's libraries were compiled without crypto support (i.e. without linking against libcrypto.so). Now dhclient is linked against system wide bind libraries and those libs are compiled with crypto support. When dhclient is started, it initializes libdns library and crypto routines are automatically initialized. It means openssl reads it's configuration from /etc/pki/tls/openssl.cnf.

In my opinion proper solution is to allow dhclient to read openssl configuration file.
Comment 5 Miroslav Grepl 2010-10-25 10:27:00 UTC 

*** This bug has been marked as a duplicate of bug 645566 ***