Bug 456776 - SELinux is preventing dhclient (dhcpc_t) "write" to ./dhclient-eth0.pid
SELinux is preventing dhclient (dhcpc_t) "write" to ./dhclient-eth0.pid
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
x86_64 Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-07-26 20:31 EDT by Matthew Burse
Modified: 2008-07-29 16:21 EDT (History)
1 user (show)

See Also:
Fixed In Version: 79
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-07-29 16:21:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Matthew Burse 2008-07-26 20:31:28 EDT

SELinux is preventing dhclient (dhcpc_t) "write" to ./dhclient-eth0.pid

Detailed Description:

SELinux is preventing dhclient (dhcpc_t) "write" to ./dhclient-eth0.pid
(var_run_t). The SELinux type var_run_t, is a generic type for all files in the
directory and very few processes (SELinux Domains) are allowed to write to this
SELinux type. This type of denial usual indicates a mislabeled file. By default
a file created in a directory has the gets the context of the parent directory,
but SELinux policy has rules about the creation of directories, that say if a
process running in one SELinux Domain (D1) creates a file in a directory with a
particular SELinux File Context (F1) the file gets a different File Context
(F2). The policy usually allows the SELinux Domain (D1) the ability to write,
unlink, and append on (F2). But if for some reason a file (./dhclient-eth0.pid)
was created with the wrong context, this domain will be denied. The usual
solution to this problem is to reset the file context on the target file,
restorecon -v './dhclient-eth0.pid'. If the file context does not change from
var_run_t, then this is probably a bug in policy. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the selinux-policy
package. If it does change, you can try your application again to see if it
works. The file context could have been mislabeled by editing the file or moving
the file from a different directory, if the file keeps getting mislabeled, check
the init scripts to see if they are doing something to mislabel the file.

Allowing Access:

You can attempt to fix file context by executing restorecon -v

Fix Command:

restorecon './dhclient-eth0.pid'

Additional Information:

Source Context                system_u:system_r:dhcpc_t:s0
Target Context                unconfined_u:object_r:var_run_t:s0
Target Objects                ./dhclient-eth0.pid [ file ]
Source                        dhclient
Source Path                   /sbin/dhclient
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           dhclient-4.0.0-14.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-42.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   mislabeled_file
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.25-14.fc9.x86_64
                              #1 SMP Thu May 1 06:06:21 EDT 2008 x86_64 x86_64
Alert Count                   3
First Seen                    Sat 26 Jul 2008 08:16:34 PM EDT
Last Seen                     Sat 26 Jul 2008 08:25:03 PM EDT
Local ID                      c00492f3-e54b-4900-8ebc-3768c488e04e
Line Numbers                  

Raw Audit Messages            

host=localhost.localdomain type=AVC msg=audit(1217118303.22:321): avc:  denied 
{ write } for  pid=18979 comm="dhclient" name="dhclient-eth0.pid" dev=dm-0
ino=14631058 scontext=system_u:system_r:dhcpc_t:s0
tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file

host=localhost.localdomain type=SYSCALL msg=audit(1217118303.22:321):
arch=c000003e syscall=2 success=no exit=-13 a0=7fff8a422e9d a1=241 a2=1a4
a3=4000 items=0 ppid=1 pid=18979 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dhclient"
exe="/sbin/dhclient" subj=system_u:system_r:dhcpc_t:s0 key=(null)

When i do what it tells me to do which is this command is gives me this error
aftwords even in root.

[root@localhost sbin]# restorecon -v './dhclient-eth0.pid'
restorecon:  stat error on ./dhclient-eth0.pid:  No such file or directory
[root@localhost sbin]#

As for a fix i have no idea how to fix this. If you can figure this out for me
give me a reply by email draxima@live.com thanks.
Comment 1 Daniel Walsh 2008-07-29 16:21:11 EDT
Please yum update selinux-policy-targeted

Note You need to log in before you can comment on or make changes to this bug.