Bug 351211 - denials from chkconfig
denials from chkconfig
Product: Fedora
Classification: Fedora
Component: dhcp (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: David Cantrell
Fedora Extras Quality Assurance
Depends On:
Blocks: F8Blocker
  Show dependency treegraph
Reported: 2007-10-24 15:57 EDT by Jesse Keating
Modified: 2013-01-09 21:42 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-10-25 12:46:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
patch for this (2.88 KB, patch)
2007-10-25 11:26 EDT, Bill Nottingham
no flags Details | Diff

  None (edit)
Description Jesse Keating 2007-10-24 15:57:06 EDT
SELinux is preventing chkconfig (dhcpc_t) "search" to (user_home_dir_t).

Source Context:  system_u:system_r:dhcpc_t:s0
Target Context:  system_u:object_r:user_home_dir_t:s0
Target Objects:  None [ dir ]

avc: denied { search } for comm=chkconfig dev=dm-3 name=root pid=16995
scontext=system_u:system_r:dhcpc_t:s0 tclass=dir
Comment 1 Jeremy Katz 2007-10-24 16:56:15 EDT
When do you get this?
Comment 2 Jesse Keating 2007-10-24 17:15:38 EDT
This happens if you run 'ifup' in /root/  (not sure about other locations,
didn't try them)
Comment 3 Bill Nottingham 2007-10-24 17:27:56 EDT
dhclient-script uses chkconfig to attempt to do some deranged service restarting
w.r.t. ypbind. I'm debating whether it should be taken out and shot repeatedly.
Comment 4 Bill Nottingham 2007-10-24 17:30:53 EDT
(i.e., don't change policy just yet)
Comment 5 Jeremy Katz 2007-10-24 23:50:20 EDT
Oh, ick.  One vote for taking it out...
Comment 6 Jesse Keating 2007-10-25 09:03:34 EDT
I do too.
Comment 7 Bill Nottingham 2007-10-25 11:26:22 EDT
Created attachment 237481 [details]
patch for this

Here's a patch that:

- doesn't actually use chkconfig to check the runlevel, as it's superfluous
(you can just check if ypbind is running)
- uses coreutils readlink rather than busybox (!)
Comment 8 David Cantrell 2007-10-25 12:46:19 EDT
Bill, thanks for the patch.  Really hate that script.  But it's slowly becoming
sane.  Or maybe I'm becoming insane.  I just recently gutted all of the dhcdbd
hacks in that script, so bring on more minus signs.

Note You need to log in before you can comment on or make changes to this bug.