From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322) Description of problem: First I set IP address to be obtained automatically by DHCP, and I tried to change it to staticaally IP address from system-config-network. Then, resolv.conf is cleared. Version-Release number of selected component (if applicable): system-config-network-1.3.26-1 How reproducible: Always Steps to Reproduce: 1. Run system-config-network 2. Select NIC in "Devices" 3. Click "Edit" button 4. Click "Statically set IP addresses" and input parameters 5. Click "Stop" and "Start" button to restart NIC Actual Results: /etc/resolv.conf and /etc/sysconfig/networking/profiles/default/resolv.conv is cleared. They contain only one "\n". Expected Results: "nameserver XXX.XXX.XXX.XXX" will be written in resolv.conf. Additional info: After I removed NCProfileList.pyc and NCProfileList.pyo from /usr/share/system-config-network/netconfpkg, system-config-network did not clear resolv.conf. So I suppose these NCProfileList.pyc or NCProfileList.pyo may be obsolete.
Haven't seen this bugreport from others... NCProfileList.pyc and NCProfileList.pyo are the python compiled versions of NCProfileList.py ... so something really went wrong here.
Using FC4 final: Deleting those files didn't work for me. I found selinux errors (permission denied writing to /etc/resolv.conf) in /var/log/messages, so I disabled selinux and now it works. I tracked the problem to the call to /sbin/dhclient in /etc/sysconfig/network-scripts/ifup-eth, line 176. The /etc/resolv.conf file contains old content before call, and file is empty after call. More info: System installed via kickstart with a small set of packages ~450. Kickstart set to use dhcp, empty /etc/resolv.conf after reboot even though /var/lib/dhcp/dhclient-eth0.leases contains the correct information. I reproduced this every time on six (6) installs. A full install (nearly every package) does not have this problem, I assume the problem could be solved by adding some package, but which one?
$ rpm -qf /sbin/dhclient-script dhclient-3.0.2-12
There appear to be two issues associated with this bug report: 1.RE: Changing from DHCP to Static configuration and resolv.conf is cleared: This is correct behavior, if you did not specify any static name server and domain / search path parameters. If you do not wish the resolver parameters to be specified by DHCP, then you must specify them manually. When dhclient is stopped for an interface, it removes the information it wrote to resolv.conf - this is what we want it to do, as when dhclient is stopped and the DHCP interface is brought down, any configuration parameters written by dhclient are invalid. Did you specify the name server and domain / search path parameters in system-config-network when switching from DHCP to Static ? If so, then this could be a problem with system-config-network: if it writes the newly specified static parameters to resolv.conf and THEN stops dhclient, the new parameters written would be lost. It must stop dhclient (move from DHCP to static configuration) and then write the resolv.conf parameters. If not, then this is 'NOTABUG': as no static resolver parameters were entered, and you are moving to a static configuration, the resolv.conf file should be empty. 2. SELinux policy for dhclient incorrect after kickstart install: > I found selinux errors (permission denied writing to /etc/resolv.conf) > in /var/log/messages Could you please paste examples of these messages into this bug report ? > System installed via kickstart with a small set of packages ~450. ... > A full install (nearly every package) does not have this problem Was 'selinux-policy-targeted' one of the missing packages ? Ensure your kickstart script includes at least these selinux packages and their dependencies: selinux-policy-targeted policycoreutils libselinux libsepol checkpolicy It might also be necessary to touch the /.autorelabel file after kickstart installation to ensure the newly installed filesystem is correctly labelled - after relabelling the first time, no subsequent relabels should be required. If you can reproduce the problem with all the above packages installed and the filesystem correctly labelled (after touching /.autorelabel and rebooting), then please append the /var/log/audit/audit.log file to this bug report and the output of # ls -lZ /etc/resolv.* /sbin/dhc*
Created attachment 118411 [details] /var/log/audit/audit.log from target machine
The package "checkpolicy" wasn't installed. Neither was "audit". Output from /var/log/messages: Sep 2 15:36:32 localhost kernel: eth0: network connection up using port A Sep 2 15:36:32 localhost kernel: speed: 100 Sep 2 15:36:32 localhost kernel: autonegotiation: yes Sep 2 15:36:32 localhost kernel: duplex mode: full Sep 2 15:36:32 localhost kernel: flowctrl: symmetric Sep 2 15:36:32 localhost kernel: irq moderation: disabled Sep 2 15:36:32 localhost squid[2278]: Squid Parent: child process 2280 started Sep 2 15:36:32 localhost kernel: scatter-gather: enabled Sep 2 15:36:32 localhost kernel: audit(1125696987.492:2): avc: denied { write } for pid=2054 comm="cp" name="resolv.conf.predhclient" dev=hda8 ino=493579 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_t tclass=file Sep 2 15:36:32 localhost kernel: audit(1125696987.492:3): avc: denied { unlink } for pid=2054 comm="cp" name="resolv.conf.predhclient" dev=hda8 ino=493579 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_t tclass=file Sep 2 15:36:32 localhost kernel: audit(1125696987.510:4): avc: denied { getattr } for pid=2055 comm="mktemp" name="/" dev=hda5 ino=2 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:file_t tclass=dir Sep 2 15:36:32 localhost kernel: audit(1125696987.577:5): avc: denied { rename } for pid=2064 comm="mv" name="yp.conf" dev=hda8 ino=493602 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_t tclass=file Sep 2 15:36:32 localhost kernel: audit(1125696987.586:6): avc: denied { write } for pid=2017 comm="dhclient-script" name="yp.conf" dev=hda8 ino=493602 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_t tclass=file Sep 2 15:36:32 localhost kernel: audit(1125696987.586:7): avc: denied { write } for pid=2017 comm="dhclient-script" name="yp.conf" dev=hda8 ino=493602 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_t tclass=file Sep 2 15:36:32 localhost kernel: audit(1125696987.594:8): avc: denied { append } for pid=2017 comm="dhclient-script" name="yp.conf" dev=hda8 ino=493602 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_t tclass=file Sep 2 15:36:32 localhost kernel: audit(1125696987.594:9): avc: denied { append } for pid=2017 comm="dhclient-script" name="yp.conf" dev=hda8 ino=493602 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_t tclass=file Sep 2 15:36:32 localhost kernel: audit(1125696987.837:10): avc: denied { read } for pid=2117 comm="syslogd" name="hosts" dev=hda8 ino=493683 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:etc_runtime_t tclass=file Sep 2 15:36:32 localhost kernel: NET: Registered protocol family 10 Sep 2 15:36:32 localhost kernel: Disabled Privacy Extensions on device c03e6a20(lo) Sep 2 15:36:32 localhost kernel: IPv6 over IPv4 tunneling driver Installed chkpolicy and audit, enabled selinux again, touched /.autorelabel, rebooted. Problem persists, but now this in /var/log/messages: Sep 2 16:44:16 localhost kernel: eth0: network connection up using port A Sep 2 16:44:16 localhost kernel: speed: 100 Sep 2 16:44:16 localhost kernel: autonegotiation: yes Sep 2 16:44:16 localhost kernel: duplex mode: full Sep 2 16:44:16 localhost kernel: flowctrl: symmetric Sep 2 16:44:16 localhost kernel: irq moderation: disabled Sep 2 16:44:16 localhost kernel: scatter-gather: enabled Sep 2 16:44:16 localhost kernel: audit(1125701053.273:2): avc: denied { getattr } for pid=2051 comm="mktemp" name="/" dev=hda5 ino=2 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:file_t tclass=dir Sep 2 16:44:16 localhost kernel: audit(1125701053.591:3): avc: denied { read } for pid=2114 comm="syslogd" name="hosts" dev=hda8 ino=493685 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:etc_runtime_t tclass=file Sep 2 16:44:16 localhost kernel: NET: Registered protocol family 10 Sep 2 16:44:16 localhost kernel: Disabled Privacy Extensions on device c03e6a20(lo) Sep 2 16:44:16 localhost kernel: IPv6 over IPv4 tunneling driver The log file /var/log/audit/audit.log is attached above. Here is the output of that command: # ls -lZ /etc/resolv.* /sbin/dhc* -rw-r--r-- root root system_u:object_r:net_conf_t /etc/resolv.conf -rw-r--r-- root root system_u:object_r:net_conf_t /etc/resolv.conf.predhclient -rwxr-xr-x root root system_u:object_r:dhcpc_exec_t /sbin/dhclient -rwxr-xr-x root root system_u:object_r:dhcpc_exec_t /sbin/dhclient-script
From the looks of the above output, it looks like dhclient has succeeded - both resolv.conf and resolv.conf.predhclient exist with the correct SELinux context - or are they from different sessions ? Please confirm that the new resolv.conf still has the incorrect content. Try "ifdown; rm -rf /etc/resolv.*; ifup;" - what do the /etc/resolv.* files look like then - are the resolv.conf contents still bad ? I don't like the look of this AVC message: audit(1125701053.273:2): avc: denied { getattr } for pid=2051 \ comm="mktemp" name="/" dev=hda5 ino=2 \ scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:file_t tclass=dir dhclient script always creates the new resolv.conf first in the file named by the output of the command '/bin/mktemp /tmp/XXXXXX'. This AVC definitely cannot be reproduced on my rawhide system, with selinux-policy-targeted-1.25.4.11 . The latest update for FC-4 is selinux-policy-targeted-1.25.4-10 - what version do you have installed ? You should ensure that you have all the latest FC-4 upgrades installed, including the kernel. The dhclient AVC shows that mktemp, when run by dhclient with context dhcpc_t, cannot get the SELinux attributes of the first component of the path '/tmp/XXXXXX' -ie. '/', the root filesystem. This should have the context 'system_u:object_r:root_t', not 'system_u:object_r:file_t', as it would appear the AVC above shows it has. The AVC that follows the dhclient AVC shows that syslogd is not allowed to read /etc/hosts (so network logging is disabled) because /etc/hosts has context system_u:object_r:etc_runtime_t - on my system, it has system_u:object_r:etc_t . Did the relabel take effect ? ie. after touching /.autorelabel and rebooting, did you see the message *** Warning -- SELinux relabel is required. *** *** Relabeling could take a very long time, *** when you booted up ? Was this process interrupted in any way? Note that if you ever run with the kernel boot argument 'selinux=no', (SELinux disabled) you MUST autorelabel to run without 'selinux=no'. It is much better to use the 'selinux=permissive' boot argument to disable selinux violations. If you are sure that you have all the latest versions of all packages installed, and still have the problem, please try the following commands, as root: # echo '#!/bin/bash mktemp /tmp/XXXXXX; [ $? -ne 0 ] && echo failed; ' > /tmp/dhct.sh # chmod +x /tmp/dhct.sh # chcon system_u:object_r:dhcpc_exec_t /tmp/dhct.sh # /tmp/dhct.sh The last command should NOT produce the output 'failed' - it does not for me. If it does, then you have a bad SELinux installation and need help from the SELinux maintainer (dwalsh), who has also been CC'ed on this bug.
I cannot reproduce this bug on any FC-4 or Rawhide system, and no further information has been forthcoming - perhaps the previous comments helped resolve the issue - closing as "NOTABUG". If this problem is still an issue for you, please supply the further information requested in the previous comments and re-open this bug.