From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.7.10) Gecko/20050720 Epiphany/1.7.2 Description of problem: Fedora Extras provides the ddclient package. Ddclient allows one to update a dyndns.org DNS record automatically. Version-Release number of selected component (if applicable): selinux-policy-strict-1.23.16-6 How reproducible: Always Steps to Reproduce: Try to execute ddclient when SELinux is enforcing the strict policy. Actual Results: type=AVC msg=audit(1123206458.903:2140046): avc: denied { write } for pid=4360 comm="ddclient" name="cache" dev=hda2 ino=14648 scontext=root:system_r:initrc_t tcontext=system_u:object_r:var_t tclass=dir type=AVC msg=audit(1123206458.903:2140046): avc: denied { add_name } for pid=4360 comm="ddclient" name="ddclient.cache" scontext=root:system_r:initrc_t tcontext=system_u:object_r:var_t tclass=dir type=AVC msg=audit(1123206458.903:2140046): avc: denied { create } for pid=4360 comm="ddclient" name="ddclient.cache" scontext=root:system_r:initrc_t tcontext=root:object_r:var_t tclass=file type=SYSCALL msg=audit(1123206458.903:2140046): arch=40000003 syscall=5 success=yes exit=3 a0=99fde50 a1=8241 a2=1b6 a3=8241 items=1 pid=4360 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ddclient" exe="/usr/bin/perl" type=CWD msg=audit(1123206458.903:2140046): cwd="/etc/selinux/strict/src/policy" type=PATH msg=audit(1123206458.903:2140046): item=0 name="/var/cache/ddclient.cache" flags=310 inode=14648 dev=03:02 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1123206458.905:2140058): avc: denied { write } for pid=4360 comm="ddclient" name="ddclient.cache" dev=hda2 ino=15053 scontext=root:system_r:initrc_t tcontext=root:object_r:var_t tclass=file type=SYSCALL msg=audit(1123206458.905:2140058): arch=40000003 syscall=4 success=yes exit=276 a0=3 a1=9a0f320 a2=114 a3=9a0f320 items=0 pid=4360 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ddclient" exe="/usr/bin/perl" type=AVC_PATH msg=audit(1123206458.905:2140058): path="/var/cache/ddclient.cache" Additional info: The following seems to allow ddclient to work: /usr/sbin/ddclient -- system_u:object_r:ddclient_exec_t /etc/ddclient.conf -- system_u:object_r:ddclient_etc_t type ddclient_exec_t, file_type, sysadmfile, exec_type; type ddclient_etc_t, file_type, sysadmfile, exec_type; type ddclient_t, domain, privlog, fs_domain; domain_auto_trans(initrc_t, ddclient_exec_t, ddclient_t) can_network(ddclient_t) allow ddclient_t devtty_t:chr_file { read write }; allow ddclient_t var_t:file { read ioctl }; # execute perl: allow ddclient_t { bin_t sbin_t }:dir r_dir_perms; can_exec(ddclient_t, { bin_t sbin_t }) allow ddclient_t bin_t:lnk_file read; # end execute perl allow ddclient_t sshd_t:fd use; allow ddclient_t urandom_device_t:chr_file read; allow ddclient_t proc_t:lnk_file read; allow ddclient_t ddclient_etc_t:file { ioctl read getattr }; allow ddclient_t null_device_t:chr_file { ioctl read }; # macro? : allow ddclient_t var_run_t:dir { add_name }; allow ddclient_t var_run_t:file { create ioctl write }; allow ddclient_t var_t:file { getattr }; allow ddclient_t http_port_t:tcp_socket { name_connect }; allow ddclient_t user_devpts_t:chr_file { ioctl read write }; allow ddclient_t ddclient_t:dir search; allow ddclient_t ddclient_t:lnk_file read; allow ddclient_t lib_t:file { read ioctl };
Did you try the policy that was already in the unused directory of strict policy? /etc/selinux/strict/src/policy/domains/program/unused/ddclient.te
I did not know strict/src/policy/domains/program/unused/ddclient.te existed. I don't think /var/cache/ddclient.cache is created with the proper context (ddclient creates it as root:object_r:var_t.) Here are the messages that are logged when I use this policy fragment: type=AVC msg=audit(1123382532.061:6803231): avc: denied { read write } for pid=11252 comm="ddclient" name="1" dev=devpts ino=3 scontext=root:system_r:ddclient_t tcontext=root:object_r:user_devpts_t tclass=chr_file type=SYSCALL msg=audit(1123382532.061:6803231): arch=40000003 syscall=11 success=yes exit=0 a0=82a1340 a1=828e178 a2=828e308 a3=0 items=3 pid=11252 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ddclient" exe="/usr/bin/perl" type=CWD msg=audit(1123382532.061:6803231): cwd="/etc/selinux/strict/src/policy" type=PATH msg=audit(1123382532.061:6803231): item=0 name="/usr/sbin/ddclient" flags=101 inode=32909 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1123382532.061:6803231): item=1 flags=101 inode=33489 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1123382532.061:6803231): item=2 flags=101 inode=47064 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1123382532.084:6803376): avc: denied { ioctl } for pid=11252 comm="ddclient" name="1" dev=devpts ino=3 scontext=root:system_r:ddclient_t tcontext=root:object_r:user_devpts_t tclass=chr_file type=SYSCALL msg=audit(1123382532.084:6803376): arch=40000003 syscall=54 success=yes exit=0 a0=0 a1=5401 a2=bfbb4dd8 a3=bfbb4e18 items=0 pid=11252 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ddclient" exe="/usr/bin/perl" type=AVC_PATH msg=audit(1123382532.084:6803376): path="/dev/pts/1" type=AVC msg=audit(1123382533.231:6805020): avc: denied { search } for pid=11255 comm="sh" name="/" dev=devpts ino=1 scontext=root:system_r:ddclient_t tcontext=system_u:object_r:devpts_t tclass=dirtype=SYSCALL msg=audit(1123382533.231:6805020): arch=40000003 syscall=5 success=yes exit=3 a0=80c78f6 a1=8802 a2=0 a3=8802 items=1 pid=11255 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="sh" exe="/bin/bash" type=CWD msg=audit(1123382533.231:6805020): cwd="/etc/selinux/strict/src/policy" type=PATH msg=audit(1123382533.231:6805020): item=0 name="/dev/tty" flags=101 inode=2240 dev=00:0d mode=020666 ouid=0 ogid=0 rdev=05:00 type=AVC msg=audit(1123382533.235:6805055): avc: denied { search } for pid=11255 comm="sh" name="src" dev=hda2 ino=63918 scontext=root:system_r:ddclient_t tcontext=system_u:object_r:policy_src_t tclass=dir type=AVC msg=audit(1123382533.235:6805055): avc: denied { getattr } for pid=11255 comm="sh" name="policy" dev=hda2 ino=63919 scontext=root:system_r:ddclient_t tcontext=system_u:object_r:policy_src_t tclass=dir type=SYSCALL msg=audit(1123382533.235:6805055): arch=40000003 syscall=195 success=yes exit=0 a0=9371830 a1=bfeda0ac a2=229ff4 a3=bfeda0ac items=1 pid=11255 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="sh" exe="/bin/bash" type=AVC_PATH msg=audit(1123382533.235:6805055): path="/etc/selinux/strict/src/policy" type=CWD msg=audit(1123382533.235:6805055): cwd="/etc/selinux/strict/src/policy" type=PATH msg=audit(1123382533.235:6805055): item=0 name="/etc/selinux/strict/src/policy" flags=1 inode=63919 dev=03:02 mode=040700 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1123382533.237:6805075): avc: denied { read } for pid=11255 comm="sh" name="policy" dev=hda2 ino=63919 scontext=root:system_r:ddclient_t tcontext=system_u:object_r:policy_src_t tclass=dir type=SYSCALL msg=audit(1123382533.237:6805075): arch=40000003 syscall=5 success=yes exit=3 a0=80d39e2 a1=18800 a2=22b8b8 a3=9373588 items=1 pid=11255 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="sh" exe="/bin/bash" type=CWD msg=audit(1123382533.237:6805075): cwd="/etc/selinux/strict/src/policy" type=PATH msg=audit(1123382533.237:6805075): item=0 name="." flags=103 inode=63919 dev=03:02 mode=040700 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1123382533.246:6805157): avc: denied { write } for pid=11253 comm="ddclient" name="cache" dev=hda2 ino=14648 scontext=root:system_r:ddclient_t tcontext=system_u:object_r:var_t tclass=dir type=AVC msg=audit(1123382533.246:6805157): avc: denied { add_name } for pid=11253 comm="ddclient" name="ddclient.cache" scontext=root:system_r:ddclient_t tcontext=system_u:object_r:var_t tclass=dir type=AVC msg=audit(1123382533.246:6805157): avc: denied { create } for pid=11253 comm="ddclient" name="ddclient.cache" scontext=root:system_r:ddclient_t tcontext=root:object_r:var_t tclass=file type=SYSCALL msg=audit(1123382533.246:6805157): arch=40000003 syscall=5 success=yes exit=3 a0=9c41e50 a1=8241 a2=1b6 a3=8241 items=1 pid=11253 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ddclient" exe="/usr/bin/perl" type=CWD msg=audit(1123382533.246:6805157): cwd="/etc/selinux/strict/src/policy" type=PATH msg=audit(1123382533.246:6805157): item=0 name="/var/cache/ddclient.cache" flags=310 inode=14648 dev=03:02 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1123382533.248:6805158): avc: denied { ioctl } for pid=11253 comm="ddclient" name="ddclient.cache" dev=hda2 ino=14933 scontext=root:system_r:ddclient_t tcontext=root:object_r:var_t tclass=file type=SYSCALL msg=audit(1123382533.248:6805158): arch=40000003 syscall=54 success=no exit=-25 a0=3 a1=5401 a2=bfbb4dd8 a3=bfbb4e18 items=0 pid=11253 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ddclient" exe="/usr/bin/perl" type=AVC_PATH msg=audit(1123382533.248:6805158): path="/var/cache/ddclient.cache" type=AVC msg=audit(1123382533.248:6805160): avc: denied { getattr } for pid=11253 comm="ddclient" name="ddclient.cache" dev=hda2 ino=14933 scontext=root:system_r:ddclient_t tcontext=root:object_r:var_t tclass=file type=SYSCALL msg=audit(1123382533.248:6805160): arch=40000003 syscall=197 success=yes exit=0 a0=3 a1=998c068 a2=a46ff4 a3=9c42142 items=0 pid=11253 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ddclient" exe="/usr/bin/perl" type=AVC_PATH msg=audit(1123382533.248:6805160): path="/var/cache/ddclient.cache" type=AVC msg=audit(1123382533.249:6805169): avc: denied { write } for pid=11253 comm="ddclient" name="ddclient.cache" dev=hda2 ino=14933 scontext=root:system_r:ddclient_t tcontext=root:object_r:var_t tclass=file type=SYSCALL msg=audit(1123382533.249:6805169): arch=40000003 syscall=4 success=yes exit=276 a0=3 a1=9c53320 a2=114 a3=9c53320 items=0 pid=11253 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ddclient" exe="/usr/bin/perl" type=AVC_PATH msg=audit(1123382533.249:6805169): path="/var/cache/ddclient.cache"
Created attachment 117523 [details] DDclient patch to fix cache creation If you apply this patch to ddclient.te, does it fix your problems. You might need to restorecon /var/cache/ddclient* This patch will be in the next update, although we do not ship ddclient.te...
The patch is comment #3 seems to work.
Fixed in policy version 1.25.4-10