Bug 887619

Summary:

dhclient needs to write to NetworkManager directories

Product:

[Fedora] Fedora

Reporter:

Gene Czarcinski <gczarcinski>

Component:

selinux-policy

Assignee:

Miroslav Grepl <mgrepl>

Status:

CLOSED CURRENTRELEASE

QA Contact:

Fedora Extras Quality Assurance <extras-qa>

Severity:

unspecified

Docs Contact:

Priority:

unspecified

Version:

CC:

dominick.grift, dwalsh, mgrepl, psimerda

Target Milestone:

---

Target Release:

---

Hardware:

Unspecified

OS:

Unspecified

Whiteboard:

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2012-12-18 06:54:16 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Attachments:

Description	Flags
grep dhclient audit.log	none
all four steps -- grep dhclient audit,log	none

Description Gene Czarcinski 2012-12-16 20:00:19 UTC

Description of problem:
Not yet in F18 but the NetworkManager in git has updates to support dynamic DNS with DHCPv6.  This required writing a IPv6 configuration file for dhclient and having it write files also.

On F18 (and F17 for that matter), I am running NetworkManager as of the git on 30 Nov 2012 to get the new DHCPV6 support.

The following needs to be added to SElinux policy:

module NM4pol 1.0;

require {
	type NetworkManager_var_lib_t;
	type dhcpc_t;
	class dir { write add_name };
	class file { write create };
}
# fixup for NM changing file location with dhclient
# Wed 10 Oct 2012 04:25:07 AM EDT 
#============= dhcpc_t ==============
#!!!! The source type 'dhcpc_t' can write to a 'dir' of the following types:
# dhcpc_var_run_t, net_conf_t, dhcpc_tmp_t, etc_t, tmp_t, dhcp_state_t, 
# dhcpc_state_t, var_run_t, root_t
#!!!! This avc is allowed in the current policy

allow dhcpc_t NetworkManager_var_lib_t:dir { write add_name };
allow dhcpc_t NetworkManager_var_lib_t:file write;
allow dhcpc_t NetworkManager_var_lib_t:file create;

Comment 1 Miroslav Grepl 2012-12-16 20:55:52 UTC

Gene,
could you attach AVC msgs?

Comment 2 Gene Czarcinski 2012-12-16 23:23:24 UTC

Created attachment 664592 [details]
grep dhclient audit.log

Comment 3 Gene Czarcinski 2012-12-16 23:34:52 UTC

I am the individual who created the NetworkManager patches to implement dynamic DNS for DHCPv6.  During my testing, I found that some SElinux policies needed updating so that things would work.

The policy changes shown above are the end result but doses not show the steps along the way ... update the policy, try again, update the policy, try again.

Similarly, the attached audit.log does not show the full story.

If needed, I can virtually create the separate steps and provide that info.

Here are the initial three steps:
------------------------------
module NM1pol 1.0;

require {
	type NetworkManager_var_lib_t;
	type dhcpc_t;
	class dir write;
}

#============= dhcpc_t ==============
#!!!! The source type 'dhcpc_t' can write to a 'dir' of the following types:
# dhcpc_var_run_t, net_conf_t, dhcpc_tmp_t, etc_t, tmp_t, dhcp_state_t, dhcpc_state_t, var_run_t, root_t

allow dhcpc_t NetworkManager_var_lib_t:dir write;
-------------------------------

----------------------------------
module NM2pol 1.0;

require {
	type NetworkManager_var_lib_t;
	type dhcpc_t;
	class dir { write add_name };
}

#============= dhcpc_t ==============
allow dhcpc_t NetworkManager_var_lib_t:dir add_name;
#!!!! This avc is allowed in the current policy

allow dhcpc_t NetworkManager_var_lib_t:dir write;
----------------------------------------

-------------------------------------------
module NM3pol 1.0;

require {
	type NetworkManager_var_lib_t;
	type dhcpc_t;
	class dir { write add_name };
	class file create;
}

#============= dhcpc_t ==============
#!!!! This avc is allowed in the current policy

allow dhcpc_t NetworkManager_var_lib_t:dir { write add_name };
allow dhcpc_t NetworkManager_var_lib_t:file create;
-----------------------------------------------

Remember, it takes a NetworkManager from git dated 30 November or later ... it might even be a bit earlier but certainly not what is shipping with F18.

It might be a little effort but I can easily go through the steps again (naturally, using qemu-kvm).

Comment 4 Gene Czarcinski 2012-12-17 00:57:06 UTC

Created attachment 664598 [details]
all four steps -- grep dhclient audit,log

Comment 5 Gene Czarcinski 2012-12-17 01:00:26 UTC

I redid everything virtually on F18-TC2+  the attached auditlog has all "steps".  Here are the results:
------------------------------------
module dhc-1 1.0;

require {
	type NetworkManager_var_lib_t;
	type dhcpc_t;
	class dir write;
}

#============= dhcpc_t ==============
#!!!! The source type 'dhcpc_t' can write to a 'dir' of the following types:
# net_conf_t, systemd_passwd_var_run_t, dhcpc_tmp_t, etc_t, tmp_t, dhcp_state_t, dhcpc_state_t, var_run_t, dhcpc_var_run_t

allow dhcpc_t NetworkManager_var_lib_t:dir write;
---------------------------------------------------
module dhc-2 1.0;

require {
	type NetworkManager_var_lib_t;
	type dhcpc_t;
	class dir { write add_name };
}

#============= dhcpc_t ==============
allow dhcpc_t NetworkManager_var_lib_t:dir add_name;
#!!!! This avc is allowed in the current policy

allow dhcpc_t NetworkManager_var_lib_t:dir write;
-----------------------------------------------
module dhc-3 1.0;

require {
	type NetworkManager_var_lib_t;
	type dhcpc_t;
	class dir { write add_name };
	class file create;
}

#============= dhcpc_t ==============
#!!!! This avc is allowed in the current policy

allow dhcpc_t NetworkManager_var_lib_t:dir { write add_name };
allow dhcpc_t NetworkManager_var_lib_t:file create;
---------------------------------------
module dhc-4 1.0;

require {
	type NetworkManager_var_lib_t;
	type dhcpc_t;
	class dir { write add_name };
	class file { write create };
}

#============= dhcpc_t ==============
#!!!! This avc is allowed in the current policy

allow dhcpc_t NetworkManager_var_lib_t:dir { write add_name };
allow dhcpc_t NetworkManager_var_lib_t:file write;
#!!!! This avc is allowed in the current policy

allow dhcpc_t NetworkManager_var_lib_t:file create;
=================================================

That is it folks!

Comment 6 Miroslav Grepl 2012-12-17 08:38:05 UTC

Gene,
thank you.

Fixed in selinux-policy-3.11.1-65.fc18

Comment 7 Pavel Šimerda (pavlix) 2012-12-17 11:01:35 UTC

Thanks Gene & Miroslav.

Comment 8 Miroslav Grepl 2012-12-17 11:07:25 UTC

Actually added to selinux-policy-3.11.1-66.fc18

Comment 9 Fedora Update System 2012-12-17 17:39:36 UTC

selinux-policy-3.11.1-66.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-66.fc18

Comment 10 Fedora Update System 2012-12-18 06:54:18 UTC

selinux-policy-3.11.1-66.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.