Bug 221863 - denials when using network device control
denials when using network device control
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-01-08 11:42 EST by Orion Poplawski
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-02-14 10:17:54 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2007-01-08 11:42:45 EST
Description of problem:

When an interface is started with network device control, the following denials
are seen:

Jan  7 13:52:41 localhost kernel: audit(1168203161.948:4): avc:  denied  { write
} for  pid=3048 comm="ifconfig" name="[10408]" dev=pipefs ino=10408
scontext=user_u:system_r:ifconfig_t:s0 tcontext=user_u:system_r:unconfined_t:s0
tclass=fifo_file
Jan  7 13:52:41 localhost kernel: audit(1168203161.949:6): avc:  denied  { read
} for  pid=3048 comm="ifconfig" name="[10402]" dev=pipefs ino=10402
scontext=user_u:system_r:ifconfig_t:s0 tcontext=user_u:system_r:unconfined_t:s0
tclass=fifo_file
Jan  7 13:52:43 localhost kernel: audit(1168203163.251:29): avc:  denied  {
write } for pid=3088 comm="ip" name="[10408]" dev=pipefs ino=10408
scontext=user_u:system_r:ifconfig_t:s0 tcontext=user_u:system_r:unconfined_t:s0
tclass=fifo_file
Jan  7 13:52:43 localhost kernel: audit(1168203163.251:30): avc:  denied  { read
} for  pid=3088 comm="ip" name="[10402]" dev=pipefs ino=10402
scontext=user_u:system_r:ifconfig_t:s0 tcontext=user_u:system_r:unconfined_t:s0
tclass=fifo_file
Jan  7 13:52:43 localhost kernel: audit(1168203163.254:36): avc:  denied  {
chown } for pid=3089 comm="cp" capability=0 scontext=user_u:system_r:dhcpc_t:s0
tcontext=user_u:system_r:dhcpc_t:s0 tclass=capability
Jan  7 13:52:43 localhost kernel: audit(1168203163.331:37): avc:  denied  {
write } for pid=3097 comm="hostname" name="[10408]" dev=pipefs ino=10408
scontext=user_u:system_r:hostname_t:s0 tcontext=user_u:system_r:unconfined_t:s0
tclass=fifo_file
Jan  7 13:52:43 localhost kernel: audit(1168203163.332:38): avc:  denied  { read
} for  pid=3097 comm="hostname" name="[10402]" dev=pipefs ino=10402
scontext=user_u:system_r:hostname_t:s0 tcontext=user_u:system_r:unconfined_t:s0
tclass=fifo_file

Version-Release number of selected component (if applicable):
selinux-policy-2.4.5-4.fc5
Comment 1 Daniel Walsh 2007-02-14 10:17:54 EST
All of these bugs should be fixed in FC6,  You could attempt to use the FC6
policy on FC5 or upgrade.  Or you could use 

audit2allow -M mypolicy -i /var/log/audit/audit.log 
and build local customized policy

Note You need to log in before you can comment on or make changes to this bug.