Bug 122026 - user-controllable /sbin/ifup doesn't have access to dhcp file
user-controllable /sbin/ifup doesn't have access to dhcp file
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: policy (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-04-29 16:15 EDT by Gary Peck
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-05-28 10:28:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Gary Peck 2004-04-29 16:15:05 EDT
Description of problem:
When bringing up eth0 that is set to USERCTL=yes with /sbin/ifup as a
regular user, permission is denied to access/modify
/etc/dhclient-eth0.conf.

Version-Release number of selected component (if applicable):
policy-1.11.2-18

How reproducible:
Always

Steps to Reproduce:
1. Add USERCTL=yes to /etc/sysconfig/network-scripts/ifcfg-<if>
2. Do /sbin/ifup <if> as a normal user
  
Actual results:
audit(1083040217.142:0): avc:  denied  { getattr } for  pid=2488
exe=/bin/bash path=/etc/dhclient-eth0.conf dev=dm-0 ino=343574
scontext=user_u:user_r:usernetctl_t
tcontext=system_u:object_r:dhcp_etc_t tclass=file
audit(1083040217.149:0): avc:  denied  { getattr } for  pid=2488
exe=/bin/bash path=/etc/dhclient-eth0.conf dev=dm-0 ino=343574
scontext=user_u:user_r:usernetctl_t
tcontext=system_u:object_r:dhcp_etc_t tclass=file
audit(1083040217.150:0): avc:  denied  { getattr } for  pid=2488
exe=/bin/bash path=/etc/dhclient-eth0.conf dev=dm-0 ino=343574
scontext=user_u:user_r:usernetctl_t
tcontext=system_u:object_r:dhcp_etc_t tclass=file
audit(1083040217.150:0): avc:  denied  { append } for  pid=2488
exe=/bin/bash name=dhclient-eth0.conf dev=dm-0 ino=343574
scontext=user_u:user_r:usernetctl_t
tcontext=system_u:object_r:dhcp_etc_t tclass=file


Expected results:
No avc denied messages.


Additional info:
The interface comes up, but I think that's only because I already had
the right stuff written in /etc/dhclient-eth0.conf from previous runs.

Here's /etc/sysconfig/network-scripts/ifcfg-eth0:
# Intel Corp.|82557/8/9 [Ethernet Pro 100]
DEVICE=eth0
BOOTPROTO=dhcp
HWADDR=00:20:E0:6C:58:04
ONBOOT=no
USERCTL=yes
TYPE=Ethernet
DHCP_HOSTNAME=taz
PEERDNS=no

$ ls -Z /etc/dhclient-eth0.conf
-rw-r--r--+ root     root     system_u:object_r:dhcp_etc_t    
/etc/dhclient-eth0.conf

$ id -Z
user_u:user_r:user_t
Comment 1 Daniel Walsh 2004-05-06 14:07:54 EDT
Added allow rules in
/policy-1.11.3-2.src.rpm

Note You need to log in before you can comment on or make changes to this bug.