Bug 153244 - SELinux warnings, maybe DHCP-related
Summary: SELinux warnings, maybe DHCP-related
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: dhcp
Version: 4
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Jason Vas Dias
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-04-03 22:55 UTC by Florin Andrei
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-09-27 20:38:23 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Florin Andrei 2005-04-03 22:55:28 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050323 Firefox/1.0.2 Fedora/1.0.2-1.3.1

Description of problem:
AthlonXP system, multiple interfaces, eth0 is on DHCP, the rest are static (but disabled for the moment, so they don't count).
When booting up the system, sometimes i see this in the logs:

###################################################
Apr  3 15:48:48 demo kernel: SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts
Apr  3 15:48:48 demo kernel: ip_tables: (C) 2000-2002 Netfilter core team
Apr  3 15:48:48 demo kernel: ip_conntrack version 2.1 (3967 buckets, 31736 max) - 272 bytes per conntrack
Apr  3 15:48:48 demo kernel: e100: eth0: e100_watchdog: link up, 100Mbps, half-duplex
Apr  3 15:48:48 demo kernel: audit(1112568526.223:0): avc:  denied  { read } for  pid=1497 exe=/bin/cp name=config dev=hda2 ino=2261414 scontext=user_u:system_r:dhcpc_t tcontext=user_u:object_r:selinux_config_t tclass=file
Apr  3 15:48:48 demo kernel: audit(1112568526.223:0): avc:  denied  { getattr } for  pid=1497 exe=/bin/cp path=/etc/selinux/config dev=hda2 ino=2261414 scontext=user_u:system_r:dhcpc_t tcontext=user_u:object_r:selinux_config_t tclass=file
Apr  3 15:48:48 demo kernel: audit(1112568526.278:0): avc:  denied  { search } for  pid=1504 exe=/sbin/restorecon name=contexts dev=hda2 ino=2261392 scontext=user_u:system_r:dhcpc_t tcontext=system_u:object_r:default_context_t tclass=dir
Apr  3 15:48:48 demo kernel: audit(1112568526.278:0): avc:  denied  { search } for  pid=1504 exe=/sbin/restorecon name=files
dev=hda2 ino=2261398 scontext=user_u:system_r:dhcpc_t tcontext=system_u:object_r:file_context_t tclass=dir
Apr  3 15:48:48 demo kernel: audit(1112568526.278:0): avc:  denied  { read } for  pid=1504 exe=/sbin/restorecon name=file_contexts dev=hda2 ino=2261397 scontext=user_u:system_r:dhcpc_t tcontext=system_u:object_r:file_context_t tclass=file
Apr  3 15:48:48 demo kernel: audit(1112568526.279:0): avc:  denied  { getattr } for  pid=1504 exe=/sbin/restorecon path=/etc/selinux/targeted/contexts/files/file_contexts dev=hda2 ino=2261397 scontext=user_u:system_r:dhcpc_t tcontext=system_u:object_r:file_context_t tclass=file
Apr  3 15:48:48 demo kernel: audit(1112568526.286:0): avc:  denied  { search } for  pid=1504 exe=/sbin/restorecon name=/ dev=selinuxfs ino=252 scontext=user_u:system_r:dhcpc_t tcontext=system_u:object_r:security_t tclass=dir
Apr  3 15:48:48 demo kernel: audit(1112568526.286:0): avc:  denied  { read write } for  pid=1504 exe=/sbin/restorecon name=context dev=selinuxfs ino=5 scontext=user_u:system_r:dhcpc_t tcontext=system_u:object_r:security_t tclass=file
Apr  3 15:48:48 demo kernel: audit(1112568526.286:0): avc:  denied  { check_context } for  pid=1504 exe=/sbin/restorecon scontext=user_u:system_r:dhcpc_t tcontext=system_u:object_r:security_t tclass=security
Apr  3 15:48:48 demo kernel: tun: Universal TUN/TAP device driver, 1.6
Apr  3 15:48:48 demo kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk>
###################################################

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.23.5-3

How reproducible:
Sometimes

Steps to Reproduce:
1.see above
2.
3.
  

Additional info:
Comment 1 Florin Andrei 2005-04-03 22:58:14 UTC 
I'm sorry, i'm confused, i was thinking of another bug - this is not happening
intermitently, it happens every single time, when the system boots up.
Sorry for the mistake.

There are also some SELinux messages when shutting down, but those happen after
syslog is turned off, so i'm not sure how to capture them.
Comment 2 Florin Andrei 2005-04-03 23:04:32 UTC 
BTW, SELinux is in "permissive" mode.
Comment 3 Florin Andrei 2005-04-03 23:05:43 UTC 
Also see bug #153245 - they seem related.
Comment 4 Daniel Walsh 2005-04-04 13:37:52 UTC 
The problem here is that dhclient is attempting to run restorecon and it should
not.  The file labeling is being taken care of by SELinux.
Comment 9 Daniel Walsh 2005-04-16 03:33:59 UTC 
Restorecon has been removed from the latest rawhide dhclient scripts.
Comment 11 Jason Vas Dias 2005-04-18 18:19:56 UTC 
 dhcp-3.0.2-8 now has a workaround that avoids these SELinux problems.
 The problem was that when dhclient runs during boot in context
     'system_u:object_r:dhcpc_exec_t'
 it cannot:
    o modify ANY configuration files
      (/etc/resolv.conf, /etc/yp.conf, /etc/ntp.conf, 
       /etc/ntp/step-tickers)
    o run /sbin/restorecon
    o run /usr/sbin/hostname or /usr/sbin/domainname
 For some reason, when dhclient is run out of the boot sequence,
 eg. by root command "service network restart", then it is allowed
 to modify the configuration files and run restorecon and 
 {host,domain}name. This may have something to do with the context
 of /etc/sysconfig/network-scripts/ifup-eth, from which dhclient is
 run, being 'system_u:object_r:etc_t' and not /sbin/ifup's 
 system_u:object_r:sbin_t .

 The temporary workaround, until SELinux policy is fixed, is to
    # chcon system_u:object_r:sbin_t /sbin/dhclient*
 in the dhclient-3.0.2-8.*.rpm %post script.
 The "restorecon"s are also restored in this version and now work.
Comment 12 Jason Vas Dias 2005-04-18 18:27:11 UTC 
 dhcp-3.0.8 will be in rawhide20050419 - meanwhile, you can download it
 from:
  http://people.redhat.com/~jvdias/DHCP/FC4
Note You need to log in before you can comment on or make changes to this bug.