Bug 212876 - SELinux issues on startup with dhcp & iptables
SELinux issues on startup with dhcp & iptables
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
6
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-10-29 16:52 EST by Rick Wargo
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-11-09 14:59:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Rick Wargo 2006-10-29 16:52:05 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Gecko/20061011 Fedora/1.5.0.7-7.fc6 Firefox/1.5.0.7

Description of problem:
I receive the following avc messages in /var/log/messages during boot:

Oct 28 22:51:30 chocolate kernel: audit(1162090285.704:4): avc:  denied  { create } for  pid=2255 comm="iptables" scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=rawip_socket
Oct 28 22:51:30 chocolate kernel: audit(1162090285.704:5): avc:  denied  { read } for  pid=2255 comm="iptables" name="modprobe" dev=proc ino=-268435399 scontext=system_u:system_r:dhcpc_t:s0 context=system_u:object_r:sysctl_modprobe_t:s0 tclass=file
Oct 28 22:51:30 chocolate kernel: audit(1162090285.704:6): avc:  denied  { create } for  pid=2256 comm="iptables" scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=rawip_socket
Oct 28 22:51:30 chocolate kernel: audit(1162090285.704:7): avc:  denied  { read } for  pid=2256 comm="iptables" name="modprobe" dev=proc ino=-268435399 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:sysctl_modprobe_t:s0 tclass=file
Oct 28 22:51:30 chocolate kernel: audit(1162090285.708:8): avc:  denied  { create } for  pid=2257 comm="iptables" scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=rawip_socket
Oct 28 22:51:30 chocolate kernel: audit(1162090285.708:9): avc:  denied  { read } for  pid=2257 comm="iptables" name="modprobe" dev=proc ino=-268435399 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:sysctl_modprobe_t:s0 tclass=file
Oct 28 22:51:30 chocolate kernel: audit(1162090285.712:10): avc:  denied  { create } for  pid=2258 comm="iptables" scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=rawip_socket
Oct 28 22:51:30 chocolate kernel: audit(1162090285.712:11): avc:  denied  { read } for  pid=2258 comm="iptables" name="modprobe" dev=proc ino=-268435399 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:sysctl_modprobe_t:s0 tclass=file
Oct 28 22:51:30 chocolate kernel: audit(1162090285.712:12): avc:  denied  { create } for  pid=2260 comm="iptables" scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=rawip_socket
Oct 28 22:51:30 chocolate kernel: audit(1162090285.712:13): avc:  denied  { read } for  pid=2260 comm="iptables" name="modprobe" dev=proc ino=-268435399 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:sysctl_modprobe_t:s0 tclass=file
Oct 28 22:51:30 chocolate kernel: audit(1162090287.232:14): audit_pid=2309 old=0 by auid=4294967295 subj=system_u:system_r:auditd_t:s0

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.1-3.fc6

How reproducible:
Always


Steps to Reproduce:
Boot the system.

Actual Results:
See messages in messages log file (very, very early, while starting firestarter, S11firestarter, right after S10auditd). 

Expected Results:
should not produce AVCs

Additional info:
Comment 1 Daniel Walsh 2006-10-30 14:37:58 EST
In order for you to get firestarter to work in this manner, you will probably
need to add your own local rules


audit2allow -M local > /var/log/messages
semodule -i local.pp

I am not crazy about giving dhcp the ability to change iptables and kernel
modules on the fly.  Is there anyway to run firestarter outside of dhcp?

Note You need to log in before you can comment on or make changes to this bug.