Bug 468938 - selinux will not allow me to activate my NIC
selinux will not allow me to activate my NIC
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: dhcp (Show other bugs)
9
i386 Linux
medium Severity high
: ---
: ---
Assigned To: David Cantrell
Fedora Extras Quality Assurance
:
: 469601 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-28 19:52 EDT by Bruce vaNorman
Modified: 2008-12-06 23:16 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-12-06 23:16:18 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Bruce vaNorman 2008-10-28 19:52:53 EDT
Description of problem:
I added an Intel Pro/100 NIC to my sytsem board to see if that would help me get WOL working via system-config-network 1.5.10. SCN recognizes the NIC as hardware, but selinux gets in the way - as usual - when I try to activate it.

Version-Release number of selected component (if applicable):
selinux-policy-3.3.1-99.fc9 (targeted)

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
SummarySELinux is preventing consoletype (consoletype_t) "read" to /var/lib/dhclient/dhclient-eth2.leases (dhcpc_state_t). Detailed DescriptionSELinux denied access requested by consoletype. It is not expected that this access is required by consoletype and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing AccessSometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /var/lib/dhclient/dhclient-eth2.leases, restorecon -v '/var/lib/dhclient/dhclient-eth2.leases' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package. Additional InformationSource Context:  unconfined_u:system_r:consoletype_tTarget Context:  unconfined_u:object_r:dhcpc_state_tTarget Objects:  /var/lib/dhclient/dhclient-eth2.leases [ file ]Source:  consoletypeSource Path:  /sbin/consoletypePort:  <Unknown>Host:  localhost.localdomainSource RPM Packages:  initscripts-8.76.4-1Target RPM Packages:  Policy RPM:  selinux-policy-3.3.1-99.fc9Selinux Enabled:  TruePolicy Type:  targetedMLS Enabled:  TrueEnforcing Mode:  EnforcingPlugin Name:  catchall_fileHost Name:  localhost.localdomainPlatform:  Linux localhost.localdomain 2.6.26.6-79.fc9.i686 #1 SMP Fri Oct 17 14:52:14 EDT 2008 i686 athlonAlert Count:  1First Seen:  Tue 28 Oct 2008 04:26:05 PM PDTLast Seen:  Tue 28 Oct 2008 04:26:05 PM PDTLocal ID:  5c21fc07-ffd0-47b7-94c1-7d0fe1e11bc3Line Numbers:  Raw Audit Messages :host=localhost.localdomain type=AVC msg=audit(1225236365.95:19): avc: denied { read } for pid=5091 comm="consoletype" path="/var/lib/dhclient/dhclient-eth2.leases" dev=sda8 ino=1042887 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:object_r:dhcpc_state_t:s0 tclass=file host=localhost.localdomain type=SYSCALL msg=audit(1225236365.95:19): arch=40000003 syscall=11 success=yes exit=0 a0=8cf5598 a1=8cf5030 a2=8cf5250 a3=0 items=0 ppid=5090 pid=5091 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="consoletype" exe="/sbin/consoletype" subj=unconfined_u:system_r:consoletype_t:s0 key=(null)
Comment 1 Daniel Walsh 2008-10-29 09:43:01 EDT
This AVC would not block the activation, it is reporting a leaked file descriptor from dhclient.  consoletype does not need to look at the lease file.

If your nic comes up you can ignore this avc.

dhclient should close all open file descriptors before execing applications

fcntl(fd, F_SETFD, FD_CLOEXEC)
Comment 2 Fedora Update System 2008-10-29 21:00:01 EDT
dhcp-4.0.0-21.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/dhcp-4.0.0-21.fc9
Comment 3 Fedora Update System 2008-10-30 08:56:52 EDT
dhcp-4.0.0-21.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update dhcp'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-9302
Comment 4 Fedora Update System 2008-11-11 17:03:42 EST
dhcp-4.0.0-22.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/dhcp-4.0.0-22.fc9
Comment 5 Fedora Update System 2008-11-12 22:35:25 EST
dhcp-4.0.0-22.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update dhcp'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-9615
Comment 6 David Cantrell 2008-12-04 14:51:33 EST
*** Bug 469601 has been marked as a duplicate of this bug. ***
Comment 7 Fedora Update System 2008-12-06 23:16:08 EST
dhcp-4.0.0-22.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.