Description of problem: I've AVC denied by firestarter when it's using dhcp SELinux is preventing touch (dhcpc_t) "write" to ./firestarter (var_lock_t). The SELinux type var_lock_t, is a generic type for all files in the directory and very few processes (SELinux Domains) are allowed to write to this SELinux type. This type of denial usual indicates a mislabeled file. By default a file created in a directory has the gets the context of the parent directory, but SELinux policy has rules about the creation of directories, that say if a process running in one SELinux Domain (D1) creates a file in a directory with a particular SELinux File Context (F1) the file gets a different File Context (F2). The policy usually allows the SELinux Domain (D1) the ability to write, unlink, and append on (F2). But if for some reason a file (./firestarter) was created with the wrong context, this domain will be denied. The usual solution to this problem is to reset the file context on the target file, restorecon -v './firestarter'. If the file context does not change from var_lock_t, then this is probably a bug in policy. information audit host=localhost.localdomain type=AVC msg=audit(1209650589.445:620): avc: denied { write } for pid=4868 comm="touch" name="firestarter" dev=sda2 ino=430101 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file host=localhost.localdomain type=SYSCALL msg=audit(1209650589.445:620): arch=c000003e syscall=2 success=no exit=-13 a0=7fff642d1d07 a1=941 a2=1b6 a3=38265520cc items=0 ppid=4852 pid=4868 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="touch" exe="/bin/touch" subj=system_u:system_r:dhcpc_t:s0 key=(null) Version-Release number of selected component (if applicable): selinux-policy-3.0.8-98.fc8 selinux-policy-targeted-3.0.8-98.fc8 firestarter-1.0.3-17.fc8 How reproducible: sometimes Additional info:
I can reproduce. When you set "IP address is assigned via DHCP" in firestarter's wizard, it hooks into the DHCP client by adding this line to /etc/dhclient-exit-hooks: sh /etc/firestarter/firestarter.sh start The script is run in dhcpc_t domain and among other things it attempts to set the iptables rules. There are many AVC denials in permissive mode: host=hammerfall type=AVC msg=audit(1209688871.380:542): avc: denied { create } for pid=1251 comm="iptables" scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=rawip_socket host=hammerfall type=AVC msg=audit(1209688871.397:544): avc: denied { setopt } for pid=1254 comm="iptables" lport=255 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=rawip_socket host=hammerfall type=AVC msg=audit(1209688871.380:543): avc: denied { getopt } for pid=1251 comm="iptables" lport=255 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=rawip_socket host=hammerfall type=AVC msg=audit(1209688871.368:541): avc: denied { execute } for pid=1251 comm="sh" name="iptables" dev=dm-0 ino=196685 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file host=hammerfall type=AVC msg=audit(1209688871.368:541): avc: denied { read } for pid=1251 comm="sh" name="iptables" dev=dm-0 ino=196685 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file host=hammerfall type=AVC msg=audit(1209688871.368:541): avc: denied { execute_no_trans } for pid=1251 comm="sh" path="/sbin/iptables" dev=dm-0 ino=196685 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file host=hammerfall type=AVC msg=audit(1209688878.722:548): avc: denied { write } for pid=1539 comm="touch" name="firestarter" dev=dm-2 ino=688200 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file host=hammerfall type=AVC msg=audit(1209688879.265:550): avc: denied { write } for pid=1524 comm="sh" scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file host=hammerfall type=AVC msg=audit(1209688879.264:549): avc: denied { search } for pid=1524 comm="sh" scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir host=hammerfall type=AVC msg=audit(1209688879.286:551): avc: denied { read } for pid=1524 comm="sh" scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
Fixed in selinux-policy-3.3.1-47