Bug 244925 - SELinux is preventing ifup-eth (udev_t) "write" to dhclient-eth1.conf (dhcp_etc_t).
SELinux is preventing ifup-eth (udev_t) "write" to dhclient-eth1.conf (dhcp_e...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
7
i386 Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-19 17:17 EDT by Matthew Saltzman
Modified: 2007-11-30 17:12 EST (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-22 10:09:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matthew Saltzman 2007-06-19 17:17:13 EDT
Description of problem:
Removing and reloading the ipw2200 kernel module with modprobe ipw2200 produces
SELinux troubleshooting reports similar to the summary, but involving various
actions (write, create, getattr, append, unlink) on dhclient-eth1.conf*. 

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.6.4-14.fc7

How reproducible:
Always

Steps to Reproduce:
1. Configure wireless using NetworkManager, then stop NetworkManager.
2. rmmod ipw2200
3. insmod ipw2200
  
Actual results:
Troubleshooter pops up with the above message. 

Expected results:
No SELinux violations

Additional info:
The related raw audit messages are:

avc: denied { write } for comm="ifup-eth" dev=dm-0 egid=0 euid=0 exe="/bin/bash"
exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="dhclient-eth1.conf" pid=11417
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=file
tcontext=system_u:object_r:dhcp_etc_t:s0 tty=(none) uid=0 

avc: denied { getattr } for comm="ifup-eth" dev=dm-0 egid=0 euid=0
exe="/bin/bash" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="dhclient-eth1.conf"
path="/etc/dhclient-eth1.conf" pid=16456
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=file
tcontext=system_u:object_r:dhcp_etc_t:s0 tty=(none) uid=0 

avc: denied { append } for comm="ifup-eth" dev=dm-0 egid=0 euid=0
exe="/bin/bash" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="dhclient-eth1.conf"
pid=16456 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=file
tcontext=system_u:object_r:dhcp_etc_t:s0 tty=(none) uid=0 

avc: denied { create } for comm="ifup-eth" dev=dm-0 egid=0 euid=0
exe="/bin/bash" exit=3 fsgid=0 fsuid=0 gid=0 items=0
name="dhclient-eth1.conf.ifupnew" pid=11468
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=file
tcontext=system_u:object_r:etc_t:s0 tty=(none) uid=0 

avc: denied { read } for comm="grep" dev=dm-0 egid=0 euid=0 exe="/bin/grep"
exit=3 fsgid=0 fsuid=0 gid=0 items=0 name="dhclient-eth1.conf" pid=11468
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=file
tcontext=system_u:object_r:dhcp_etc_t:s0 tty=(none) uid=0 

avc: denied { unlink } for comm="rm" dev=dm-0 egid=0 euid=0 exe="/bin/rm" exit=0
fsgid=0 fsuid=0 gid=0 items=0 name="dhclient-eth1.conf.ifupnew" pid=11470
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=file
tcontext=system_u:object_r:etc_t:s0 tty=(none) uid=0
Comment 1 Daniel Walsh 2007-06-20 08:02:20 EDT
Any idea why ifuo config scripts would be trying to rewrite these files?
Comment 2 Matthew Saltzman 2007-06-20 08:28:20 EDT
(In reply to comment #1)
> Any idea why ifuo config scripts would be trying to rewrite these files?

No, but the contents of the file are:

   send host-name "localhost.localdomain";  # temporary RHL ifup addition

The relevant section is in /etc/sysconfig/ifup-eth starting around line 147.
Comment 3 Bill Nottingham 2007-06-20 12:52:43 EDT
Exactly - it sets dhcp parameters that way.
Comment 4 Daniel Walsh 2007-06-22 12:01:05 EDT
Fixed in selinux-policy-2.6.4-22
Comment 5 Daniel Walsh 2007-08-22 10:09:34 EDT
Closing as fixes are in the current release

Note You need to log in before you can comment on or make changes to this bug.