Bug 887619
Summary: | dhclient needs to write to NetworkManager directories | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Gene Czarcinski <gczarcinski> | ||||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 18 | CC: | dominick.grift, dwalsh, mgrepl, psimerda | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2012-12-18 06:54:16 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Gene Czarcinski
2012-12-16 20:00:19 UTC
Gene, could you attach AVC msgs? Created attachment 664592 [details]
grep dhclient audit.log
I am the individual who created the NetworkManager patches to implement dynamic DNS for DHCPv6. During my testing, I found that some SElinux policies needed updating so that things would work. The policy changes shown above are the end result but doses not show the steps along the way ... update the policy, try again, update the policy, try again. Similarly, the attached audit.log does not show the full story. If needed, I can virtually create the separate steps and provide that info. Here are the initial three steps: ------------------------------ module NM1pol 1.0; require { type NetworkManager_var_lib_t; type dhcpc_t; class dir write; } #============= dhcpc_t ============== #!!!! The source type 'dhcpc_t' can write to a 'dir' of the following types: # dhcpc_var_run_t, net_conf_t, dhcpc_tmp_t, etc_t, tmp_t, dhcp_state_t, dhcpc_state_t, var_run_t, root_t allow dhcpc_t NetworkManager_var_lib_t:dir write; ------------------------------- ---------------------------------- module NM2pol 1.0; require { type NetworkManager_var_lib_t; type dhcpc_t; class dir { write add_name }; } #============= dhcpc_t ============== allow dhcpc_t NetworkManager_var_lib_t:dir add_name; #!!!! This avc is allowed in the current policy allow dhcpc_t NetworkManager_var_lib_t:dir write; ---------------------------------------- ------------------------------------------- module NM3pol 1.0; require { type NetworkManager_var_lib_t; type dhcpc_t; class dir { write add_name }; class file create; } #============= dhcpc_t ============== #!!!! This avc is allowed in the current policy allow dhcpc_t NetworkManager_var_lib_t:dir { write add_name }; allow dhcpc_t NetworkManager_var_lib_t:file create; ----------------------------------------------- Remember, it takes a NetworkManager from git dated 30 November or later ... it might even be a bit earlier but certainly not what is shipping with F18. It might be a little effort but I can easily go through the steps again (naturally, using qemu-kvm). Created attachment 664598 [details]
all four steps -- grep dhclient audit,log
I redid everything virtually on F18-TC2+ the attached auditlog has all "steps". Here are the results: ------------------------------------ module dhc-1 1.0; require { type NetworkManager_var_lib_t; type dhcpc_t; class dir write; } #============= dhcpc_t ============== #!!!! The source type 'dhcpc_t' can write to a 'dir' of the following types: # net_conf_t, systemd_passwd_var_run_t, dhcpc_tmp_t, etc_t, tmp_t, dhcp_state_t, dhcpc_state_t, var_run_t, dhcpc_var_run_t allow dhcpc_t NetworkManager_var_lib_t:dir write; --------------------------------------------------- module dhc-2 1.0; require { type NetworkManager_var_lib_t; type dhcpc_t; class dir { write add_name }; } #============= dhcpc_t ============== allow dhcpc_t NetworkManager_var_lib_t:dir add_name; #!!!! This avc is allowed in the current policy allow dhcpc_t NetworkManager_var_lib_t:dir write; ----------------------------------------------- module dhc-3 1.0; require { type NetworkManager_var_lib_t; type dhcpc_t; class dir { write add_name }; class file create; } #============= dhcpc_t ============== #!!!! This avc is allowed in the current policy allow dhcpc_t NetworkManager_var_lib_t:dir { write add_name }; allow dhcpc_t NetworkManager_var_lib_t:file create; --------------------------------------- module dhc-4 1.0; require { type NetworkManager_var_lib_t; type dhcpc_t; class dir { write add_name }; class file { write create }; } #============= dhcpc_t ============== #!!!! This avc is allowed in the current policy allow dhcpc_t NetworkManager_var_lib_t:dir { write add_name }; allow dhcpc_t NetworkManager_var_lib_t:file write; #!!!! This avc is allowed in the current policy allow dhcpc_t NetworkManager_var_lib_t:file create; ================================================= That is it folks! Gene, thank you. Fixed in selinux-policy-3.11.1-65.fc18 Thanks Gene & Miroslav. Actually added to selinux-policy-3.11.1-66.fc18 selinux-policy-3.11.1-66.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-66.fc18 selinux-policy-3.11.1-66.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. |