468938 – selinux will not allow me to activate my NIC

Bug 468938 - selinux will not allow me to activate my NIC

Summary: selinux will not allow me to activate my NIC

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	dhcp
Sub Component:
Version:	9
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Assignee:	David Cantrell
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	469601 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-10-28 23:52 UTC by Bruce vaNorman
Modified:	2008-12-07 04:16 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-12-07 04:16:18 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Bruce vaNorman 2008-10-28 23:52:53 UTC

Description of problem:
I added an Intel Pro/100 NIC to my sytsem board to see if that would help me get WOL working via system-config-network 1.5.10. SCN recognizes the NIC as hardware, but selinux gets in the way - as usual - when I try to activate it.

Version-Release number of selected component (if applicable):
selinux-policy-3.3.1-99.fc9 (targeted)

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
SummarySELinux is preventing consoletype (consoletype_t) "read" to /var/lib/dhclient/dhclient-eth2.leases (dhcpc_state_t). Detailed DescriptionSELinux denied access requested by consoletype. It is not expected that this access is required by consoletype and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing AccessSometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /var/lib/dhclient/dhclient-eth2.leases, restorecon -v '/var/lib/dhclient/dhclient-eth2.leases' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package. Additional InformationSource Context:  unconfined_u:system_r:consoletype_tTarget Context:  unconfined_u:object_r:dhcpc_state_tTarget Objects:  /var/lib/dhclient/dhclient-eth2.leases [ file ]Source:  consoletypeSource Path:  /sbin/consoletypePort:  <Unknown>Host:  localhost.localdomainSource RPM Packages:  initscripts-8.76.4-1Target RPM Packages:  Policy RPM:  selinux-policy-3.3.1-99.fc9Selinux Enabled:  TruePolicy Type:  targetedMLS Enabled:  TrueEnforcing Mode:  EnforcingPlugin Name:  catchall_fileHost Name:  localhost.localdomainPlatform:  Linux localhost.localdomain 2.6.26.6-79.fc9.i686 #1 SMP Fri Oct 17 14:52:14 EDT 2008 i686 athlonAlert Count:  1First Seen:  Tue 28 Oct 2008 04:26:05 PM PDTLast Seen:  Tue 28 Oct 2008 04:26:05 PM PDTLocal ID:  5c21fc07-ffd0-47b7-94c1-7d0fe1e11bc3Line Numbers:  Raw Audit Messages :host=localhost.localdomain type=AVC msg=audit(1225236365.95:19): avc: denied { read } for pid=5091 comm="consoletype" path="/var/lib/dhclient/dhclient-eth2.leases" dev=sda8 ino=1042887 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:object_r:dhcpc_state_t:s0 tclass=file host=localhost.localdomain type=SYSCALL msg=audit(1225236365.95:19): arch=40000003 syscall=11 success=yes exit=0 a0=8cf5598 a1=8cf5030 a2=8cf5250 a3=0 items=0 ppid=5090 pid=5091 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="consoletype" exe="/sbin/consoletype" subj=unconfined_u:system_r:consoletype_t:s0 key=(null)

Comment 1 Daniel Walsh 2008-10-29 13:43:01 UTC

This AVC would not block the activation, it is reporting a leaked file descriptor from dhclient.  consoletype does not need to look at the lease file.

If your nic comes up you can ignore this avc.

dhclient should close all open file descriptors before execing applications

fcntl(fd, F_SETFD, FD_CLOEXEC)

Comment 2 Fedora Update System 2008-10-30 01:00:01 UTC

dhcp-4.0.0-21.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/dhcp-4.0.0-21.fc9

Comment 3 Fedora Update System 2008-10-30 12:56:52 UTC

dhcp-4.0.0-21.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update dhcp'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-9302

Comment 4 Fedora Update System 2008-11-11 22:03:42 UTC

dhcp-4.0.0-22.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/dhcp-4.0.0-22.fc9

Comment 5 Fedora Update System 2008-11-13 03:35:25 UTC

dhcp-4.0.0-22.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update dhcp'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-9615

Comment 6 David Cantrell 2008-12-04 19:51:33 UTC

*** Bug 469601 has been marked as a duplicate of this bug. ***

Comment 7 Fedora Update System 2008-12-07 04:16:08 UTC

dhcp-4.0.0-22.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.