Bug 453933 - SELinux is preventing the dhclient from using potentially mislabeled files (./services).
SELinux is preventing the dhclient from using potentially mislabeled files (....
Status: CLOSED CANTFIX
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
9
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-07-03 07:11 EDT by Jochen Wiedmann
Modified: 2008-07-11 03:05 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-03 11:23:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jochen Wiedmann 2008-07-03 07:11:23 EDT
Description of problem:

Whenever I boot up my machine, or restart the network, I am receiving the
SELinux alert below. I do not know whether the problem is with SELinux, its
policy, or dhclient, so I am picking up the component, which sounds most
likely.

Version-Release number of selected component (if applicable):

    [jwi@mcjwi ~]$ rpm -qa | grep -i selinux
    selinux-policy-targeted-3.3.1-72.fc9.noarch
    libselinux-2.0.64-2.fc9.i386
    selinux-policy-3.3.1-72.fc9.noarch
    libselinux-python-2.0.64-2.fc9.i386
    [jwi@mcjwi ~]$ rpm -qa | grep -i dhclient
    dhclient-4.0.0-14.fc9.i386


How reproducible:
    sudo /etc/init.d/network restart

  
Actual results:
    No problem reports

Expected results:
    An SELinux alert is reported.


Additional info:
    My network configuration is fairly trivial, I have only eth0 with
    the following configuration.

    # Broadcom Corporation NetXtreme BCM5752 Gigabit Ethernet PCI Express
    DEVICE=eth0
    BOOTPROTO=dhcp
    HWADDR=00:15:c5:3a:c1:c5
    ONBOOT=yes
    DHCP_HOSTNAME=mcjwi.eur.ad.sag
    SEARCH="eur.ad.sag hq.sag"
    NM_CONTROLLED=no
    TYPE=Ethernet
    USERCTL=no
    PEERDNS=yes
    IPV6INIT=no

Summary:

SELinux is preventing the dhclient from using potentially mislabeled files
(./services).

Detailed Description:

SELinux has denied dhclient access to potentially mislabeled file(s)
(./services). This means that SELinux will not allow dhclient to use these
files. It is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem is that
the files end up with the wrong file context which confined applications are not
allowed to access.

Allowing Access:

If you want dhclient to access this files, you need to relabel them using
restorecon -v './services'. You might want to relabel the entire directory using
restorecon -R -v '.'.

Additional Information:

Source Context                unconfined_u:system_r:dhcpc_t:s0
Target Context                unconfined_u:object_r:rpm_script_tmp_t:s0
Target Objects                ./services [ file ]
Source                        dhclient
Source Path                   /sbin/dhclient
Port                          <Unknown>
Host                          mcjwi.eur.ad.sag
Source RPM Packages           dhclient-4.0.0-14.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-72.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     mcjwi.eur.ad.sag
Platform                      Linux mcjwi.eur.ad.sag 2.6.25.6-55.fc9.i686 #1 SMP
                              Tue Jun 10 16:27:49 EDT 2008 i686 i686
Alert Count                   16
First Seen                    Fri 30 May 2008 12:40:05 AM CEST
Last Seen                     Thu 03 Jul 2008 12:51:22 PM CEST
Local ID                      fa07d8b2-2081-4138-99ed-3f881231ae6b
Line Numbers                  

Raw Audit Messages            

host=mcjwi.eur.ad.sag type=AVC msg=audit(1215082282.574:105): avc:  denied  {
read } for  pid=5317 comm="dhclient" name="services" dev=sda3 ino=360451
scontext=unconfined_u:system_r:dhcpc_t:s0
tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=file

host=mcjwi.eur.ad.sag type=SYSCALL msg=audit(1215082282.574:105): arch=40000003
syscall=5 success=no exit=-13 a0=119f06 a1=80000 a2=1b6 a3=80000 items=0
ppid=5220 pid=5317 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts1 ses=1 comm="dhclient" exe="/sbin/dhclient"
subj=unconfined_u:system_r:dhcpc_t:s0 key=(null)
Comment 1 Daniel Walsh 2008-07-03 11:23:18 EDT
restorecon /etc/services

There is a bug in the vmware rpm script that modifies the /etc/services but
leaves it with a bad label.
Comment 2 Jochen Wiedmann 2008-07-11 03:05:59 EDT
Thanks, works indeed.

Note You need to log in before you can comment on or make changes to this bug.