From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b) Gecko/20050217 Description of problem: SELinux blocks changing MAC address. I set up new MAC address via MACADDR option in /etc/sysconfig/network-scripts/ifcfg-eth0 and reloaded network service. MAC addres did not changed. Version-Release number of selected component (if applicable): selinux-policy-targeted-1.23.16-6 How reproducible: Always Steps to Reproduce: [root@X ~]# service network restart Wy³±czanie interfejsu eth0: [ OK ] Zatrzymywanie interfejsu sieciowego loopback: [ OK ] Podnoszenie interfejsu loopback: [ OK ] Podnoszenie interfejsu eth0: socket(PF_PACKET): Permission denied [ OK ] (which means "Shutting down interface eth0" and "Bringing up interface eth0"; unfortunately, "export LANG=C" does not work, so messages are written with system locale) [root@X ~]# ifconfig eth0 Link encap:Ethernet HWaddr 00:40:F4:31:84:93 inet addr:192.168.0.8 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:57 errors:0 dropped:0 overruns:0 frame:0 TX packets:50 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:8533 (8.3 KiB) TX bytes:4207 (4.1 KiB) Interrupt:11 Base address:0xd000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:301 errors:0 dropped:0 overruns:0 frame:0 TX packets:301 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:10442 (10.1 KiB) TX bytes:10442 (10.1 KiB) (MAC address did not changed) [root@X ~]# grep MAC /etc/sysconfig/network-scripts/ifcfg-eth0 MACADDR=00:40:F4:41:84:94 [root@X ~]# tail /var/log/audit/audit.log type=USER msg=audit(1119269430.327:250807): user pid=2135 uid=0 auid=4294967295 msg='PAM bad_ident: user=? exe=/usr/bin/gdm-binary (hostname=?, addr=?, terminal=? result=User not known to the underlying authentication module)' type=USER msg=audit(1119269435.365:345814): user pid=2169 uid=0 auid=4294967295 msg='PAM authentication: user=y4kk0 exe=/usr/bin/gdm-binary (hostname=?, addr=?, terminal=:0 result=Success)' type=USER msg=audit(1119269435.764:346017): user pid=2169 uid=0 auid=4294967295 msg='PAM accounting: user=y4kk0 exe=/usr/bin/gdm-binary (hostname=?, addr=?, terminal=:0 result=Success)' type=USER msg=audit(1119269436.142:349590): user pid=2169 uid=0 auid=4294967295 msg='PAM session open: user=y4kk0 exe=/usr/bin/gdm-binary (hostname=?, addr=?, terminal=:0 result=Success)' type=USER msg=audit(1119269493.985:667750): user pid=2478 uid=500 auid=4294967295 msg='PAM authentication: user=root exe=/bin/su (hostname=?, addr=?, terminal=pts/6 result=Success)' type=USER msg=audit(1119269494.291:668834): user pid=2478 uid=500 auid=4294967295 msg='PAM accounting: user=root exe=/bin/su (hostname=?, addr=?, terminal=pts/6 result=Success)' type=USER msg=audit(1119269494.708:673328): user pid=2478 uid=500 auid=4294967295 msg='PAM session open: user=root exe=/bin/su (hostname=?, addr=?, terminal=pts/6 result=Success)' type=SOCKETCALL msg=audit(1119269526.239:789064): nargs=3 a0=11 a1=2 a2=0 type=SYSCALL msg=audit(1119269526.239:789064): arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bf90aa50 a2=0 a3=bf90bf30 items=0 pid=2757 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ip" exe="/sbin/ip" type=AVC msg=audit(1119269526.239:789064): avc: denied { create } for pid=2757 comm="ip" scontext=root:system_r:ifconfig_t tcontext=root:system_r:ifconfig_t tclass=packet_socket (something was blocked) [root@X ~]# setenforce 0 [root@X ~]# service network restart Wy³±czanie interfejsu eth0: [ OK ] Zatrzymywanie interfejsu sieciowego loopback: [ OK ] Podnoszenie interfejsu loopback: [ OK ] Podnoszenie interfejsu eth0: [ OK ] [root@X ~]# ifconfig eth0 Link encap:Ethernet HWaddr 00:40:F4:41:84:94 inet addr:192.168.0.8 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:65 errors:0 dropped:0 overruns:0 frame:0 TX packets:62 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:9434 (9.2 KiB) TX bytes:5239 (5.1 KiB) Interrupt:11 Base address:0xd000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:558 errors:0 dropped:0 overruns:0 frame:0 TX packets:558 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:17654 (17.2 KiB) TX bytes:17654 (17.2 KiB) [root@X ~]# In permissive mode MAC addres was changed. Additional info: What is funny, "ifdown eth0 && ifup eth0" works without a glitch in enforcing mode. It does not resolve the problem, because I have to trigger that command after each reboot :/
selinux-policy-targeted-1.25.2-1
Should I downgrade to this version? I have selinux-policy-targeted-1.25.2-4 installed on my FC4 box and the problem is still visible.
What avc messages are you seeing now?
type=AVC msg=audit(1121934344.535:11565021): avc: denied { net_raw } for pid=3604 comm="ip" capability=13 scontext=root:system_r:ifconfig_t tcontext=root:system_r:ifconfig_t tclass=capability type=SYSCALL msg=audit(1121934344.535:11565021): arch=40000003 syscall=102 success=no exit=-1 a0=1 a1=bfa77a90 a2=0 a3=bfa77f30 items=0 pid=3604 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ip" exe="/sbin/ip" type=SOCKETCALL msg=audit(1121934344.535:11565021): nargs=3 a0=11 a1=2 a2=0
Fixed in selinux-policy-targetd-1.25.3-9
I can confirm that :D (Sorry that it took me so long but I was away on my holiday.)