Description of problem: Whenever I boot up my machine, or restart the network, I am receiving the SELinux alert below. I do not know whether the problem is with SELinux, its policy, or dhclient, so I am picking up the component, which sounds most likely. Version-Release number of selected component (if applicable): [jwi@mcjwi ~]$ rpm -qa | grep -i selinux selinux-policy-targeted-3.3.1-72.fc9.noarch libselinux-2.0.64-2.fc9.i386 selinux-policy-3.3.1-72.fc9.noarch libselinux-python-2.0.64-2.fc9.i386 [jwi@mcjwi ~]$ rpm -qa | grep -i dhclient dhclient-4.0.0-14.fc9.i386 How reproducible: sudo /etc/init.d/network restart Actual results: No problem reports Expected results: An SELinux alert is reported. Additional info: My network configuration is fairly trivial, I have only eth0 with the following configuration. # Broadcom Corporation NetXtreme BCM5752 Gigabit Ethernet PCI Express DEVICE=eth0 BOOTPROTO=dhcp HWADDR=00:15:c5:3a:c1:c5 ONBOOT=yes DHCP_HOSTNAME=mcjwi.eur.ad.sag SEARCH="eur.ad.sag hq.sag" NM_CONTROLLED=no TYPE=Ethernet USERCTL=no PEERDNS=yes IPV6INIT=no Summary: SELinux is preventing the dhclient from using potentially mislabeled files (./services). Detailed Description: SELinux has denied dhclient access to potentially mislabeled file(s) (./services). This means that SELinux will not allow dhclient to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want dhclient to access this files, you need to relabel them using restorecon -v './services'. You might want to relabel the entire directory using restorecon -R -v '.'. Additional Information: Source Context unconfined_u:system_r:dhcpc_t:s0 Target Context unconfined_u:object_r:rpm_script_tmp_t:s0 Target Objects ./services [ file ] Source dhclient Source Path /sbin/dhclient Port <Unknown> Host mcjwi.eur.ad.sag Source RPM Packages dhclient-4.0.0-14.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-72.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name mcjwi.eur.ad.sag Platform Linux mcjwi.eur.ad.sag 2.6.25.6-55.fc9.i686 #1 SMP Tue Jun 10 16:27:49 EDT 2008 i686 i686 Alert Count 16 First Seen Fri 30 May 2008 12:40:05 AM CEST Last Seen Thu 03 Jul 2008 12:51:22 PM CEST Local ID fa07d8b2-2081-4138-99ed-3f881231ae6b Line Numbers Raw Audit Messages host=mcjwi.eur.ad.sag type=AVC msg=audit(1215082282.574:105): avc: denied { read } for pid=5317 comm="dhclient" name="services" dev=sda3 ino=360451 scontext=unconfined_u:system_r:dhcpc_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=file host=mcjwi.eur.ad.sag type=SYSCALL msg=audit(1215082282.574:105): arch=40000003 syscall=5 success=no exit=-13 a0=119f06 a1=80000 a2=1b6 a3=80000 items=0 ppid=5220 pid=5317 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="dhclient" exe="/sbin/dhclient" subj=unconfined_u:system_r:dhcpc_t:s0 key=(null)
restorecon /etc/services There is a bug in the vmware rpm script that modifies the /etc/services but leaves it with a bad label.
Thanks, works indeed.