Bug 314531 - NM SELinux denial - dhclient.leases mislabeled?
Summary: NM SELinux denial - dhclient.leases mislabeled?
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: NetworkManager
Version: rawhide
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Dan Williams
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-10-01 19:12 UTC by Zack Cerza
Modified: 2008-02-07 19:24 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2008-02-07 19:24:26 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Zack Cerza 2007-10-01 19:12:43 UTC
Description of problem:
I saw this around the same time that I found a NetworkManager segfault. I'll try
to get a better backtrace on that and report it later.

Summary
    SELinux is preventing access to files with the label, file_t.

Detailed Description
    SELinux permission checks on files labeled file_t are being denied.  file_t
    is the context the SELinux kernel gives to files that do not have a label.
    This indicates a serious labeling problem. No files on an SELinux box should
    ever be labeled file_t. If you have just added a new disk drive to the
    system you can relabel it using the restorecon command.  Otherwise you
    should relabel the entire files system.

Allowing Access
    You can execute the following command as root to relabel your computer
    system: "touch /.autorelabel; reboot"

Additional Information        

Source Context                system_u:system_r:dhcpc_t:s0
Target Context                system_u:object_r:file_t:s0
Target Objects                None [ file ]
Affected RPM Packages         dhclient-3.0.6-5.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-14.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.file
Host Name                     megadoomer
Platform                      Linux megadoomer 2.6.23-0.214.rc8.git2.fc8 #1 SMP
                              Fri Sep 28 17:38:00 EDT 2007 i686 i686
Alert Count                   1
First Seen                    Mon 01 Oct 2007 03:05:22 PM EDT
Last Seen                     Mon 01 Oct 2007 03:05:22 PM EDT
Local ID                      279f88a9-aa51-4060-92b4-8c0fd1bb3bdc
Line Numbers                  

Raw Audit Messages            

avc: denied { read } for comm=dhclient dev=sda6 egid=0 euid=0 exe=/sbin/dhclient
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=dhclient.leases pid=10300
scontext=system_u:system_r:dhcpc_t:s0 sgid=0 subj=system_u:system_r:dhcpc_t:s0
suid=0 tclass=file tcontext=system_u:object_r:file_t:s0 tty=pts0 uid=0



Version-Release number of selected component (if applicable):
NetworkManager-0.7.0-0.3.svn2914.fc8
selinux-policy-targeted-3.0.8-14.fc8
dhclient-3.0.6-5.fc8

Comment 1 Dan Williams 2007-10-01 20:33:59 UTC
dwalsh; what's needed here?  dhclient itself creates the leasefile, I assume it
needs some smarts to relabel the leasefile when it creates it?  NM tells
dhclient _where_ to put the leases, but doesn't actually create the leasefile
itself.

Comment 2 Dan Williams 2007-10-01 20:35:37 UTC
Actually, this may not be related to NM, because NM will always spawn dhclient
with a leasefile argument like "dhclient-eth0.leases", and shouldn't ever pass
just 'dhclient.leases'.  I assume dhclient is probably just trying to read that
file by default or something.  Dave?

Comment 3 Daniel Walsh 2007-10-01 21:46:35 UTC
file_t indicates a file that never had a label on it.  So this looks like you
have run with selinux disabled.  You can fix the labeling by executing 

fixfiles restore

Of course NetworkManager should not segfault.  There is a bug in libsemanage
that has been preventing proper relabeling on autorelabel.


Note You need to log in before you can comment on or make changes to this bug.