Bug 448607 - selinux dhcp_t AVCs
selinux dhcp_t AVCs
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
9
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-05-27 16:05 EDT by Pekka Savola
Modified: 2008-11-17 17:04 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-17 17:04:20 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Pekka Savola 2008-05-27 16:05:28 EDT
Description of problem:
selinux warnings are printed of dhcp.  the system is running both client and
server; it's not clear if the first is from the client or server, but the rest
seem to be from the client.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.3.1-55.fc9.noarch
dhcp-4.0.0-15.fc9.i386

More information:

The following occurs after '/sbin/service network restart' (note: this system is
also acting as a dhcp server, with very basic config):


SELinux is preventing ps (dhcpc_t) "sys_nice" to <Unknown> (dhcpc_t). 
...
host=gap.netcore.fi type=AVC msg=audit(1211918279.660:348): avc: denied {
sys_nice } for pid=29828 comm="ps" capability=23
scontext=unconfined_u:system_r:dhcpc_t:s0
tcontext=unconfined_u:system_r:dhcpc_t:s0 tclass=capability

host=gap.netcore.fi type=SYSCALL msg=audit(1211918279.660:348): arch=40000003
syscall=3 success=yes exit=192 a0=5 a1=7d4960 a2=3ff a3=7d4900 items=0
ppid=29826 pid=29828 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts4 ses=52 comm="ps" exe="/bin/ps"
subj=unconfined_u:system_r:dhcpc_t:s0 key=(null) 

I also see the following AVC's but I'm not sure what caused them:

SELinux is preventing mv (dhcpc_t) "unlink" to ./ntp.conf.predhclient.eth0 (etc_t). 
...
host=gap.netcore.fi type=AVC msg=audit(1211731066.882:1517): avc: denied {
unlink } for pid=24649 comm="mv" name="ntp.conf.predhclient.eth0" dev=md2
ino=1069809 scontext=unconfined_u:system_r:dhcpc_t:s0
tcontext=unconfined_u:object_r:etc_t:s0 tclass=file 
host=gap.netcore.fi type=SYSCALL msg=audit(1211731066.882:1517): arch=40000003
syscall=38 success=yes exit=0 a0=bfd70b3b a1=bfd70b49 a2=805e2a8 a3=0 items=0
ppid=24620 pid=24649 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=69 comm="mv" exe="/bin/mv"
subj=unconfined_u:system_r:dhcpc_t:s0 key=(null) 

SELinux is preventing mv (dhcpc_t) "rename" to ./ntp.conf.predhclient.eth0 (etc_t). 
...
host=gap.netcore.fi type=AVC msg=audit(1211728162.810:1514): avc: denied {
rename } for pid=23118 comm="mv" name="ntp.conf.predhclient.eth0" dev=md2
ino=1069809 scontext=unconfined_u:system_r:dhcpc_t:s0
tcontext=unconfined_u:object_r:etc_t:s0 tclass=file 
host=gap.netcore.fi type=SYSCALL msg=audit(1211728162.810:1514): arch=40000003
syscall=38 success=yes exit=0 a0=bfc9cf12 a1=bfc9cf31 a2=805e2a8 a3=0 items=0
ppid=23077 pid=23118 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts1 ses=69 comm="mv" exe="/bin/mv"
subj=unconfined_u:system_r:dhcpc_t:s0 key=(null)

SELinux is preventing rm (dhcpc_t) "unlink" to ./resolv.conf.predhclient.eth0
(etc_t). 
...
host=gap.netcore.fi type=AVC msg=audit(1211728162.805:1513): avc: denied {
unlink } for pid=23116 comm="rm" name="resolv.conf.predhclient.eth0" dev=md2
ino=1069758 scontext=unconfined_u:system_r:dhcpc_t:s0
tcontext=unconfined_u:object_r:etc_t:s0 tclass=file 
host=gap.netcore.fi type=SYSCALL msg=audit(1211728162.805:1513): arch=40000003
syscall=301 success=yes exit=0 a0=ffffff9c a1=bfd11f1d a2=0 a3=bfd11f1d items=0
ppid=23077 pid=23116 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts1 ses=69 comm="rm" exe="/bin/rm"
subj=unconfined_u:system_r:dhcpc_t:s0 key=(null)
Comment 1 Daniel Walsh 2008-05-27 16:29:21 EDT
restorecon -R -v /etc/resol*

Will fix the etc_t errors.

Not sure how this got mislabeled.

sys_nice is fixed in selinux-policy-3.3.1-56.fc9
Comment 2 Pekka Savola 2008-05-28 01:15:19 EDT
I'm not sure if this is going to help, because the contexts didn't change(?):

[root@gap etc]# ls -laZ /etc/{ntp.,resol}*
-rw-r--r--  root root unconfined_u:object_r:net_conf_t /etc/ntp.conf
-rw-r--r--  root root system_u:object_r:net_conf_t     /etc/ntp.conf~
-rw-r--r--  root root system_u:object_r:net_conf_t     /etc/ntp.conf.predhclient
-rw-r--r--  root root unconfined_u:object_r:net_conf_t
/etc/ntp.conf.predhclient.eth0
-rw-r--r--  root root system_u:object_r:net_conf_t     /etc/resolv.conf
-rw-r--r--  root root system_u:object_r:net_conf_t     /etc/resolv.conf~
-rw-r--r--  root root system_u:object_r:net_conf_t     /etc/resolv.conf.predhclient
-rw-r--r--  root root unconfined_u:object_r:net_conf_t
/etc/resolv.conf.predhclient.eth0
[root@gap etc]# restorecon -R -v /etc/{ntp.,resol}*
bash: restorecon: command not found
[root@gap etc]# /sbin/restorecon -R -v /etc/{ntp.,resol}*
[root@gap etc]# ls -laZ /etc/{ntp.,resol}*
-rw-r--r--  root root unconfined_u:object_r:net_conf_t /etc/ntp.conf
-rw-r--r--  root root system_u:object_r:net_conf_t     /etc/ntp.conf~
-rw-r--r--  root root system_u:object_r:net_conf_t     /etc/ntp.conf.predhclient
-rw-r--r--  root root unconfined_u:object_r:net_conf_t
/etc/ntp.conf.predhclient.eth0
-rw-r--r--  root root system_u:object_r:net_conf_t     /etc/resolv.conf
-rw-r--r--  root root system_u:object_r:net_conf_t     /etc/resolv.conf~
-rw-r--r--  root root system_u:object_r:net_conf_t     /etc/resolv.conf.predhclient
-rw-r--r--  root root unconfined_u:object_r:net_conf_t
/etc/resolv.conf.predhclient.eth0
Comment 3 Daniel Walsh 2008-05-28 06:17:44 EDT
Well the contexts are all correct now.  So the AVC should not happen anly
longer.  The problem was the the predhclient had been labeled etc_t.
Comment 4 Daniel Walsh 2008-11-17 17:04:20 EST
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.