Description of problem: Version-Release number of selected component (if applicable): How reproducible: Summary: SELinux is preventing dhclient (dhcpc_t) "read" to ./nm-dhclient-eth0.conf (NetworkManager_var_run_t). Detailed Description: SELinux denied access requested by dhclient. It is not expected that this access is required by dhclient and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./nm-dhclient-eth0.conf, restorecon -v './nm-dhclient-eth0.conf' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:dhcpc_t:s0 Target Context system_u:object_r:NetworkManager_var_run_t:s0 Target Objects ./nm-dhclient-eth0.conf [ file ] Source dhclient Source Path /sbin/dhclient Port <Unknown> Host localhost.localdomain Source RPM Packages dhclient-4.0.0-14.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-42.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.27.5-41.fc9.i686 #1 SMP Thu Nov 13 20:52:14 EST 2008 i686 i686 Alert Count 1 First Seen Thu 20 Nov 2008 08:12:46 AM EST Last Seen Thu 20 Nov 2008 08:12:46 AM EST Local ID c9909fc1-cb7d-45ca-bcdb-bf428e63caf7 Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1227186766.371:11): avc: denied { read } for pid=2179 comm="dhclient" name="nm-dhclient-eth0.conf" dev=sda3 ino=82450 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=file host=localhost.localdomain type=SYSCALL msg=audit(1227186766.371:11): arch=40000003 syscall=5 success=no exit=-13 a0=bfd8eedb a1=0 a2=bfd8d548 a3=91165c8 items=0 ppid=2048 pid=2179 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dhclient" exe="/sbin/dhclient" subj=system_u:system_r:dhcpc_t:s0 key=(null) Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Please update to the latest selinux-policy yum -y upgrade selinux-policy-targeted
This bug has cropped up again in F13 Beta. Summary: SELinux is preventing /sbin/dhclient "read" access to /var/run/nm-dhclient-wlan0.conf. Detailed Description: SELinux denied access requested by dhclient. /var/run/nm-dhclient-wlan0.conf may be a mislabeled. /var/run/nm-dhclient-wlan0.conf default SELinux type is NetworkManager_var_run_t, but its current type is var_run_t. Changing this file back to the default type, may fix your problem.
Henry it looks like your problem is different. Some app created the file labeled var_run_t. It could be caused by other applications running with the wrong context, or you running an app that created the file, which we do not have policy for. Can you get this to happen repeatedly? Meaning you fix the context and some time in the future, it is mislabeled again?
You are correct, Daniel. Moving to bug 568575 https://bugzilla.redhat.com/show_bug.cgi?id=568575