Description of problem: selinux warnings are printed of dhcp. the system is running both client and server; it's not clear if the first is from the client or server, but the rest seem to be from the client. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.3.1-55.fc9.noarch dhcp-4.0.0-15.fc9.i386 More information: The following occurs after '/sbin/service network restart' (note: this system is also acting as a dhcp server, with very basic config): SELinux is preventing ps (dhcpc_t) "sys_nice" to <Unknown> (dhcpc_t). ... host=gap.netcore.fi type=AVC msg=audit(1211918279.660:348): avc: denied { sys_nice } for pid=29828 comm="ps" capability=23 scontext=unconfined_u:system_r:dhcpc_t:s0 tcontext=unconfined_u:system_r:dhcpc_t:s0 tclass=capability host=gap.netcore.fi type=SYSCALL msg=audit(1211918279.660:348): arch=40000003 syscall=3 success=yes exit=192 a0=5 a1=7d4960 a2=3ff a3=7d4900 items=0 ppid=29826 pid=29828 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=52 comm="ps" exe="/bin/ps" subj=unconfined_u:system_r:dhcpc_t:s0 key=(null) I also see the following AVC's but I'm not sure what caused them: SELinux is preventing mv (dhcpc_t) "unlink" to ./ntp.conf.predhclient.eth0 (etc_t). ... host=gap.netcore.fi type=AVC msg=audit(1211731066.882:1517): avc: denied { unlink } for pid=24649 comm="mv" name="ntp.conf.predhclient.eth0" dev=md2 ino=1069809 scontext=unconfined_u:system_r:dhcpc_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file host=gap.netcore.fi type=SYSCALL msg=audit(1211731066.882:1517): arch=40000003 syscall=38 success=yes exit=0 a0=bfd70b3b a1=bfd70b49 a2=805e2a8 a3=0 items=0 ppid=24620 pid=24649 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=69 comm="mv" exe="/bin/mv" subj=unconfined_u:system_r:dhcpc_t:s0 key=(null) SELinux is preventing mv (dhcpc_t) "rename" to ./ntp.conf.predhclient.eth0 (etc_t). ... host=gap.netcore.fi type=AVC msg=audit(1211728162.810:1514): avc: denied { rename } for pid=23118 comm="mv" name="ntp.conf.predhclient.eth0" dev=md2 ino=1069809 scontext=unconfined_u:system_r:dhcpc_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file host=gap.netcore.fi type=SYSCALL msg=audit(1211728162.810:1514): arch=40000003 syscall=38 success=yes exit=0 a0=bfc9cf12 a1=bfc9cf31 a2=805e2a8 a3=0 items=0 ppid=23077 pid=23118 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=69 comm="mv" exe="/bin/mv" subj=unconfined_u:system_r:dhcpc_t:s0 key=(null) SELinux is preventing rm (dhcpc_t) "unlink" to ./resolv.conf.predhclient.eth0 (etc_t). ... host=gap.netcore.fi type=AVC msg=audit(1211728162.805:1513): avc: denied { unlink } for pid=23116 comm="rm" name="resolv.conf.predhclient.eth0" dev=md2 ino=1069758 scontext=unconfined_u:system_r:dhcpc_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file host=gap.netcore.fi type=SYSCALL msg=audit(1211728162.805:1513): arch=40000003 syscall=301 success=yes exit=0 a0=ffffff9c a1=bfd11f1d a2=0 a3=bfd11f1d items=0 ppid=23077 pid=23116 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=69 comm="rm" exe="/bin/rm" subj=unconfined_u:system_r:dhcpc_t:s0 key=(null)
restorecon -R -v /etc/resol* Will fix the etc_t errors. Not sure how this got mislabeled. sys_nice is fixed in selinux-policy-3.3.1-56.fc9
I'm not sure if this is going to help, because the contexts didn't change(?): [root@gap etc]# ls -laZ /etc/{ntp.,resol}* -rw-r--r-- root root unconfined_u:object_r:net_conf_t /etc/ntp.conf -rw-r--r-- root root system_u:object_r:net_conf_t /etc/ntp.conf~ -rw-r--r-- root root system_u:object_r:net_conf_t /etc/ntp.conf.predhclient -rw-r--r-- root root unconfined_u:object_r:net_conf_t /etc/ntp.conf.predhclient.eth0 -rw-r--r-- root root system_u:object_r:net_conf_t /etc/resolv.conf -rw-r--r-- root root system_u:object_r:net_conf_t /etc/resolv.conf~ -rw-r--r-- root root system_u:object_r:net_conf_t /etc/resolv.conf.predhclient -rw-r--r-- root root unconfined_u:object_r:net_conf_t /etc/resolv.conf.predhclient.eth0 [root@gap etc]# restorecon -R -v /etc/{ntp.,resol}* bash: restorecon: command not found [root@gap etc]# /sbin/restorecon -R -v /etc/{ntp.,resol}* [root@gap etc]# ls -laZ /etc/{ntp.,resol}* -rw-r--r-- root root unconfined_u:object_r:net_conf_t /etc/ntp.conf -rw-r--r-- root root system_u:object_r:net_conf_t /etc/ntp.conf~ -rw-r--r-- root root system_u:object_r:net_conf_t /etc/ntp.conf.predhclient -rw-r--r-- root root unconfined_u:object_r:net_conf_t /etc/ntp.conf.predhclient.eth0 -rw-r--r-- root root system_u:object_r:net_conf_t /etc/resolv.conf -rw-r--r-- root root system_u:object_r:net_conf_t /etc/resolv.conf~ -rw-r--r-- root root system_u:object_r:net_conf_t /etc/resolv.conf.predhclient -rw-r--r-- root root unconfined_u:object_r:net_conf_t /etc/resolv.conf.predhclient.eth0
Well the contexts are all correct now. So the AVC should not happen anly longer. The problem was the the predhclient had been labeled etc_t.
Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed.