RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1594661 - [RHEL7.6] arping, ip, hostname, dhcp affected when selinux enabled
Summary: [RHEL7.6] arping, ip, hostname, dhcp affected when selinux enabled
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.6
Hardware: Unspecified
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-06-25 06:58 UTC by HuijingHei
Modified: 2018-10-30 10:06 UTC (History)
12 users (show)

Fixed In Version: selinux-policy-3.13.1-205.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-30 10:05:46 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3111 0 None None None 2018-10-30 10:06:45 UTC

Description HuijingHei 2018-06-25 06:58:35 UTC 
Description of problem:
Can not get dhcp ip with selinux enabled

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-204.el7.noarch
selinux-policy-3.13.1-204.el7.noarch
kernel-3.10.0-915.el7.x86_64
(RHEL7.5 GA version with updated selinux rpms and kernel)

How reproducible:
100%

Steps to Reproduce:
1. Start os
2. Config the NIC with dhcp and restart nework service
3. # getenforce
Enforcing
4. # ip a

Actual results:
Can not get dhcp ip with selinux enabled

# systemctl status network
● network.service - LSB: Bring up/down networking
   Loaded: loaded (/etc/rc.d/init.d/network; bad; vendor preset: disabled)
   Active: active (running) since Mon 2018-06-25 14:38:50 CST; 39s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 658 ExecStart=/etc/rc.d/init.d/network start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/network.service
           └─915 /sbin/dhclient -1 -q -lf /var/lib/dhclient/dhclient--eth0.lease -pf /var/run/dhclient-eth0.pid eth0

Jun 25 14:38:49 localhost.localdomain network[658]: /usr/sbin/dhclient-script: line 734:   838 Killed                  arping -D -q -c2 -I ${interface} ${new_ip_address}
Jun 25 14:38:49 localhost.localdomain network[658]: /usr/sbin/dhclient-script: line 335:   850 Killed                  ip link set dev ${interface} up
Jun 25 14:38:49 localhost.localdomain network[658]: /usr/sbin/dhclient-script: line 335:   851 Killed                  ip -4 addr replace ${new_ip_address}/${new_prefix} broadcast ${new_broadcast_address} dev ${interface} valid_lft ${new_dhcp_lease_time} preferred_lft ${new_dhcp_lease_time} > /dev/null 2>&1
Jun 25 14:38:49 localhost.localdomain network[658]: /usr/sbin/dhclient-script: line 293:   859 Killed                  ip -4 route replace default via ${router} dev ${interface} ${metric}
Jun 25 14:38:49 localhost.localdomain NET[860]: dhclient: failed to create default route: 10.73.199.254 dev eth0
Jun 25 14:38:50 localhost.localdomain NET[867]: /usr/sbin/dhclient-script : updated /etc/resolv.conf
Jun 25 14:38:50 localhost.localdomain dhclient[806]: bound to 10.73.199.194 -- renewal in 17350 seconds.
Jun 25 14:38:50 localhost.localdomain network[658]: done.
Jun 25 14:38:50 localhost.localdomain network[658]: [  OK  ]
Jun 25 14:38:50 localhost.localdomain systemd[1]: Started LSB: Bring up/down networking.


# ausearch -m avc
----
time->Mon Jun 25 14:38:49 2018
type=PROCTITLE msg=audit(1529908729.388:21): proctitle="(null)"
type=SYSCALL msg=audit(1529908729.388:21): arch=c000003e syscall=59 success=no exit=-13 a0=ed16f0 a1=ed3fd0 a2=eca210 a3=7fff1de93da0 items=0 ppid=808 pid=809 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hostname" exe="/usr/bin/hostname" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1529908729.388:21): avc:  denied  { map } for  pid=809 comm="hostname" path="/usr/bin/hostname" dev="dm-0" ino=50390913 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
----
time->Mon Jun 25 14:38:49 2018
type=PROCTITLE msg=audit(1529908729.465:22): proctitle="(null)"
type=SYSCALL msg=audit(1529908729.465:22): arch=c000003e syscall=59 success=no exit=-13 a0=f6ec40 a1=ea9e90 a2=f6b580 a3=7fff1de945e0 items=0 ppid=807 pid=821 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip" exe="/usr/sbin/ip" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1529908729.465:22): avc:  denied  { map } for  pid=821 comm="ip" path="/usr/sbin/ip" dev="dm-0" ino=123026 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=0
----
time->Mon Jun 25 14:38:49 2018
type=PROCTITLE msg=audit(1529908729.533:23): proctitle="(null)"
type=SYSCALL msg=audit(1529908729.533:23): arch=c000003e syscall=59 success=no exit=-13 a0=26ad8a0 a1=26b0180 a2=26a63a0 a3=7ffe825e6f60 items=0 ppid=823 pid=824 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hostname" exe="/usr/bin/hostname" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1529908729.533:23): avc:  denied  { map } for  pid=824 comm="hostname" path="/usr/bin/hostname" dev="dm-0" ino=50390913 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
----
time->Mon Jun 25 14:38:49 2018
type=PROCTITLE msg=audit(1529908729.731:24): proctitle="(null)"
type=SYSCALL msg=audit(1529908729.731:24): arch=c000003e syscall=59 success=no exit=-13 a0=274ac80 a1=26a4800 a2=2747810 a3=7ffe825e78a0 items=0 ppid=822 pid=838 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="arping" exe="/usr/sbin/arping" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1529908729.731:24): avc:  denied  { map } for  pid=838 comm="arping" path="/usr/sbin/arping" dev="dm-0" ino=571362 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file permissive=0
----
time->Mon Jun 25 14:38:49 2018
type=PROCTITLE msg=audit(1529908729.784:25): proctitle="(null)"
type=SYSCALL msg=audit(1529908729.784:25): arch=c000003e syscall=59 success=no exit=-13 a0=2686510 a1=2686590 a2=2747810 a3=7ffe825e6ce0 items=0 ppid=839 pid=840 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="arping" exe="/usr/sbin/arping" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1529908729.784:25): avc:  denied  { map } for  pid=840 comm="arping" path="/usr/sbin/arping" dev="dm-0" ino=571362 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file permissive=0
----
time->Mon Jun 25 14:38:49 2018
type=PROCTITLE msg=audit(1529908729.792:26): proctitle="(null)"
type=SYSCALL msg=audit(1529908729.792:26): arch=c000003e syscall=59 success=no exit=-13 a0=274c1e0 a1=274bc90 a2=2747810 a3=7ffe825e6ce0 items=0 ppid=845 pid=846 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip" exe="/usr/sbin/ip" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1529908729.792:26): avc:  denied  { map } for  pid=846 comm="ip" path="/usr/sbin/ip" dev="dm-0" ino=123026 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=0
----
time->Mon Jun 25 14:38:49 2018
type=PROCTITLE msg=audit(1529908729.920:27): proctitle="(null)"
type=SYSCALL msg=audit(1529908729.920:27): arch=c000003e syscall=59 success=no exit=-13 a0=274a6c0 a1=2685630 a2=2747810 a3=7ffe825e6760 items=0 ppid=822 pid=850 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip" exe="/usr/sbin/ip" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1529908729.920:27): avc:  denied  { map } for  pid=850 comm="ip" path="/usr/sbin/ip" dev="dm-0" ino=123026 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=0
----
time->Mon Jun 25 14:38:49 2018
type=PROCTITLE msg=audit(1529908729.923:28): proctitle="(null)"
type=SYSCALL msg=audit(1529908729.923:28): arch=c000003e syscall=59 success=no exit=-13 a0=275ff40 a1=274a800 a2=2747810 a3=7ffe825e68a0 items=0 ppid=822 pid=851 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip" exe="/usr/sbin/ip" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1529908729.923:28): avc:  denied  { map } for  pid=851 comm="ip" path="/usr/sbin/ip" dev="dm-0" ino=123026 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=0
----
time->Mon Jun 25 14:38:49 2018
type=PROCTITLE msg=audit(1529908729.943:29): proctitle="(null)"
type=SYSCALL msg=audit(1529908729.943:29): arch=c000003e syscall=59 success=no exit=-13 a0=2762310 a1=26a2fb0 a2=2747810 a3=7ffe825e56a0 items=0 ppid=822 pid=859 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip" exe="/usr/sbin/ip" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1529908729.943:29): avc:  denied  { map } for  pid=859 comm="ip" path="/usr/sbin/ip" dev="dm-0" ino=123026 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=0
----
time->Mon Jun 25 14:38:50 2018
type=PROCTITLE msg=audit(1529908730.028:30): proctitle="(null)"
type=SYSCALL msg=audit(1529908730.028:30): arch=c000003e syscall=59 success=no exit=-13 a0=276b730 a1=2769b40 a2=2747810 a3=7ffe825e55a0 items=0 ppid=869 pid=870 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hostname" exe="/usr/bin/hostname" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1529908730.028:30): avc:  denied  { map } for  pid=870 comm="hostname" path="/usr/bin/hostname" dev="dm-0" ino=50390913 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0

Expected results:
Can get dhcp ip with selinux enabled

Additional info:
1) Tried with kernel-3.10.0-862.8.1.el7, RHEL7.5 GA version, does not have this issue
2) It was tested on hyper-v guest, and had the same issue on ESXi guest, so perhaps this is a general bug
Comment 3 HuijingHei 2018-06-26 09:26:56 UTC 
Additional info:
Boot OS with enable network service and disable NetworkManager service can reproduce this issue, if enable the both, does not have this issue.
Comment 5 HuijingHei 2018-06-28 02:24:13 UTC 
I have tested with selinux-policy-3.13.1-206.el7, and can get dhcp ip successfully with network service.
Comment 8 errata-xmlrpc 2018-10-30 10:05:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111
Note You need to log in before you can comment on or make changes to this bug.