Bug 221863 - denials when using network device control
Summary: denials when using network device control
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 5
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-01-08 16:42 UTC by Orion Poplawski
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-02-14 15:17:54 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Orion Poplawski 2007-01-08 16:42:45 UTC 
Description of problem:

When an interface is started with network device control, the following denials
are seen:

Jan  7 13:52:41 localhost kernel: audit(1168203161.948:4): avc:  denied  { write
} for  pid=3048 comm="ifconfig" name="[10408]" dev=pipefs ino=10408
scontext=user_u:system_r:ifconfig_t:s0 tcontext=user_u:system_r:unconfined_t:s0
tclass=fifo_file
Jan  7 13:52:41 localhost kernel: audit(1168203161.949:6): avc:  denied  { read
} for  pid=3048 comm="ifconfig" name="[10402]" dev=pipefs ino=10402
scontext=user_u:system_r:ifconfig_t:s0 tcontext=user_u:system_r:unconfined_t:s0
tclass=fifo_file
Jan  7 13:52:43 localhost kernel: audit(1168203163.251:29): avc:  denied  {
write } for pid=3088 comm="ip" name="[10408]" dev=pipefs ino=10408
scontext=user_u:system_r:ifconfig_t:s0 tcontext=user_u:system_r:unconfined_t:s0
tclass=fifo_file
Jan  7 13:52:43 localhost kernel: audit(1168203163.251:30): avc:  denied  { read
} for  pid=3088 comm="ip" name="[10402]" dev=pipefs ino=10402
scontext=user_u:system_r:ifconfig_t:s0 tcontext=user_u:system_r:unconfined_t:s0
tclass=fifo_file
Jan  7 13:52:43 localhost kernel: audit(1168203163.254:36): avc:  denied  {
chown } for pid=3089 comm="cp" capability=0 scontext=user_u:system_r:dhcpc_t:s0
tcontext=user_u:system_r:dhcpc_t:s0 tclass=capability
Jan  7 13:52:43 localhost kernel: audit(1168203163.331:37): avc:  denied  {
write } for pid=3097 comm="hostname" name="[10408]" dev=pipefs ino=10408
scontext=user_u:system_r:hostname_t:s0 tcontext=user_u:system_r:unconfined_t:s0
tclass=fifo_file
Jan  7 13:52:43 localhost kernel: audit(1168203163.332:38): avc:  denied  { read
} for  pid=3097 comm="hostname" name="[10402]" dev=pipefs ino=10402
scontext=user_u:system_r:hostname_t:s0 tcontext=user_u:system_r:unconfined_t:s0
tclass=fifo_file

Version-Release number of selected component (if applicable):
selinux-policy-2.4.5-4.fc5
Comment 1 Daniel Walsh 2007-02-14 15:17:54 UTC 
All of these bugs should be fixed in FC6,  You could attempt to use the FC6
policy on FC5 or upgrade.  Or you could use 

audit2allow -M mypolicy -i /var/log/audit/audit.log 
and build local customized policy
Note You need to log in before you can comment on or make changes to this bug.