Bug 228260 - SELinux is preventing dhclient-script (dhcpc_t) "write" to resolv.conf
SELinux is preventing dhclient-script (dhcpc_t) "write" to resolv.conf
Status: CLOSED DUPLICATE of bug 230775
Product: Fedora
Classification: Fedora
Component: system-config-network (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Harald Hoyer
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-02-12 04:39 EST by Tim Lauridsen
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-03-02 15:14:32 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tim Lauridsen 2007-02-12 04:39:35 EST
Description of problem:

Resolv.conf was not updated by enabling a network adapter in system-config-netork.

mv /etc/resolv.conf /etc/resolv.conf.current
ifdown eth1
ifup eth1

worked ok. 

Version-Release number of selected component (if applicable):

selinux-policy-2.5.2-5.fc7
selinux-policy-targeted-2.5.2-5.fc7

It is not a big issue to me, just want to let you know.

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Summary
    SELinux is preventing dhclient-script (dhcpc_t) "write" to resolv.conf
    (etc_t).

Detailed Description
    SELinux is preventing dhclient-script (dhcpc_t) "write" to resolv.conf
    (etc_t). The SELinux type %TARGET_TYPE, is a generic type for all files in
    the directory and very few processes (SELinux Domains) are allowed to write
    to this SELinux type.  This type of denial usual indicates a mislabeled
    file.  By default a file created in a directory has the gets the context of
    the parent directory, but SELinux policy has rules about the creation of
    directories, that say if a process running in one SELinux Domain (D1)
    creates a file in a directory with a particular SELinux File Context (F1)
    the file gets a different File Context (F2).  The policy usually allows the
    SELinux Domain (D1) the ability to write or append on (F2).  But if for some
    reason a file (resolv.conf) was created with the wrong context, this domain
    will be denied.  The usual solution to this problem is to reset the file
    context on the target file, restorecon -v resolv.conf.  If the file context
    does not change from etc_t, then this is probably a bug in policy.  Please
    file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against the
    selinux-policy package. If it does change, you can try your application
    again to see if it works.  The file context could have been mislabeled by
    editing the file or moving the file from a different directory, if the file
    keeps getting mislabeled, check the init scripts to see if they are doing
    something to mislabel the file.

Allowing Access
    You can attempt to fix file context by executing restorecon -v resolv.conf

    The following command will allow this access:
    restorecon resolv.conf

Additional Information        

Source Context                system_u:system_r:dhcpc_t:s0
Target Context                system_u:object_r:etc_t:s0
Target Objects                resolv.conf [ file ]
Affected RPM Packages         
Policy RPM                    selinux-policy-2.5.2-5.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.mislabeled_file
Host Name                     localhost
Platform                      Linux localhost 2.6.20-1.2922.fc7 #1 SMP Sun Feb 4
                              18:53:10 EST 2007 i686 i686
Alert Count                   4
Line Numbers                  

Raw Audit Messages            

avc: denied { write } for comm="dhclient-script" dev=sda5 egid=0 euid=0
exe="/bin/bash" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="resolv.conf"
pid=3495 scontext=system_u:system_r:dhcpc_t:s0 sgid=0
subj=system_u:system_r:dhcpc_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:etc_t:s0 tty=(none) uid=0
Comment 1 Daniel Walsh 2007-02-12 10:55:39 EST
system-config-network should be maintaining the context on all files that it
edits /especially resolv.conf
Comment 2 Bill Nottingham 2007-03-02 12:44:14 EST
Moving to 'devel' as discussed on
https://www.redhat.com/archives/fedora-devel-list/2007-March/msg00095.html.
Comment 3 Daniel Walsh 2007-03-02 15:14:32 EST
Bugzilla: 230776
and
Bugzilla: 230775

Should address this issue

*** This bug has been marked as a duplicate of 230775 ***

Note You need to log in before you can comment on or make changes to this bug.