Bug 314531 - NM SELinux denial - dhclient.leases mislabeled?
NM SELinux denial - dhclient.leases mislabeled?
Product: Fedora
Classification: Fedora
Component: NetworkManager (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Dan Williams
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2007-10-01 15:12 EDT by Zack Cerza
Modified: 2008-02-07 14:24 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-02-07 14:24:26 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Zack Cerza 2007-10-01 15:12:43 EDT
Description of problem:
I saw this around the same time that I found a NetworkManager segfault. I'll try
to get a better backtrace on that and report it later.

    SELinux is preventing access to files with the label, file_t.

Detailed Description
    SELinux permission checks on files labeled file_t are being denied.  file_t
    is the context the SELinux kernel gives to files that do not have a label.
    This indicates a serious labeling problem. No files on an SELinux box should
    ever be labeled file_t. If you have just added a new disk drive to the
    system you can relabel it using the restorecon command.  Otherwise you
    should relabel the entire files system.

Allowing Access
    You can execute the following command as root to relabel your computer
    system: "touch /.autorelabel; reboot"

Additional Information        

Source Context                system_u:system_r:dhcpc_t:s0
Target Context                system_u:object_r:file_t:s0
Target Objects                None [ file ]
Affected RPM Packages         dhclient-3.0.6-5.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-14.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.file
Host Name                     megadoomer
Platform                      Linux megadoomer 2.6.23-0.214.rc8.git2.fc8 #1 SMP
                              Fri Sep 28 17:38:00 EDT 2007 i686 i686
Alert Count                   1
First Seen                    Mon 01 Oct 2007 03:05:22 PM EDT
Last Seen                     Mon 01 Oct 2007 03:05:22 PM EDT
Local ID                      279f88a9-aa51-4060-92b4-8c0fd1bb3bdc
Line Numbers                  

Raw Audit Messages            

avc: denied { read } for comm=dhclient dev=sda6 egid=0 euid=0 exe=/sbin/dhclient
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=dhclient.leases pid=10300
scontext=system_u:system_r:dhcpc_t:s0 sgid=0 subj=system_u:system_r:dhcpc_t:s0
suid=0 tclass=file tcontext=system_u:object_r:file_t:s0 tty=pts0 uid=0

Version-Release number of selected component (if applicable):
Comment 1 Dan Williams 2007-10-01 16:33:59 EDT
dwalsh; what's needed here?  dhclient itself creates the leasefile, I assume it
needs some smarts to relabel the leasefile when it creates it?  NM tells
dhclient _where_ to put the leases, but doesn't actually create the leasefile
Comment 2 Dan Williams 2007-10-01 16:35:37 EDT
Actually, this may not be related to NM, because NM will always spawn dhclient
with a leasefile argument like "dhclient-eth0.leases", and shouldn't ever pass
just 'dhclient.leases'.  I assume dhclient is probably just trying to read that
file by default or something.  Dave?
Comment 3 Daniel Walsh 2007-10-01 17:46:35 EDT
file_t indicates a file that never had a label on it.  So this looks like you
have run with selinux disabled.  You can fix the labeling by executing 

fixfiles restore

Of course NetworkManager should not segfault.  There is a bug in libsemanage
that has been preventing proper relabeling on autorelabel.

Note You need to log in before you can comment on or make changes to this bug.