Bug 472434 – Summary: SELinux is preventing dhclient (dhcpc_t) "read" to ./nm-dhclient-eth0.conf (NetworkManager_var_run_t). Detailed Description: SELinux denied access requested by dhclient. It is not expected that this access is required by dhclient and this acc

Bug 472434 - Summary: SELinux is preventing dhclient (dhcpc_t) "read" to ./nm-dhclient-eth0.conf (NetworkManager_var_run_t). Detailed Description: SELinux denied access requested by dhclient. It is not expected that this access is required by dhclient and this acc

Summary:	Summary: SELinux is preventing dhclient (dhcpc_t) "read" to ./nm-dhclient-et...

Status:	CLOSED CURRENTRELEASE

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	setroubleshoot (Show other bugs)
Sub Component:
Version:	9
Hardware:	i386 Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2008-11-20 15:16 EST by mrnatch221
Modified:	2010-04-19 14:15 EDT (History)
CC List:	4 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2008-11-20 16:49:42 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description mrnatch221 2008-11-20 15:16:57 EST

Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Summary:

SELinux is preventing dhclient (dhcpc_t) "read" to ./nm-dhclient-eth0.conf
(NetworkManager_var_run_t).

Detailed Description:

SELinux denied access requested by dhclient. It is not expected that this access
is required by dhclient and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./nm-dhclient-eth0.conf,

restorecon -v './nm-dhclient-eth0.conf'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:dhcpc_t:s0
Target Context                system_u:object_r:NetworkManager_var_run_t:s0
Target Objects                ./nm-dhclient-eth0.conf [ file ]
Source                        dhclient
Source Path                   /sbin/dhclient
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           dhclient-4.0.0-14.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-42.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.27.5-41.fc9.i686
                              #1 SMP Thu Nov 13 20:52:14 EST 2008 i686 i686
Alert Count                   1
First Seen                    Thu 20 Nov 2008 08:12:46 AM EST
Last Seen                     Thu 20 Nov 2008 08:12:46 AM EST
Local ID                      c9909fc1-cb7d-45ca-bcdb-bf428e63caf7
Line Numbers                  

Raw Audit Messages            

host=localhost.localdomain type=AVC msg=audit(1227186766.371:11): avc:  denied  { read } for  pid=2179 comm="dhclient" name="nm-dhclient-eth0.conf" dev=sda3 ino=82450 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=file

host=localhost.localdomain type=SYSCALL msg=audit(1227186766.371:11): arch=40000003 syscall=5 success=no exit=-13 a0=bfd8eedb a1=0 a2=bfd8d548 a3=91165c8 items=0 ppid=2048 pid=2179 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dhclient" exe="/sbin/dhclient" subj=system_u:system_r:dhcpc_t:s0 key=(null)



Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Daniel Walsh 2008-11-20 16:49:42 EST

Please update to the latest selinux-policy

yum -y upgrade selinux-policy-targeted

Comment 2 Henry Kroll 2010-04-18 17:43:46 EDT

This bug has cropped up again in F13 Beta.

Summary:

SELinux is preventing /sbin/dhclient "read" access to
/var/run/nm-dhclient-wlan0.conf.

Detailed Description:

SELinux denied access requested by dhclient. /var/run/nm-dhclient-wlan0.conf may
be a mislabeled. /var/run/nm-dhclient-wlan0.conf default SELinux type is
NetworkManager_var_run_t, but its current type is var_run_t. Changing this file
back to the default type, may fix your problem.

Comment 3 Daniel Walsh 2010-04-18 22:17:59 EDT

Henry it looks like your problem is different.  Some app created the file labeled var_run_t.  It could be caused by other applications running with the wrong context, or you running an app that created the file, which we do not have policy for.  Can you get this to happen repeatedly?  Meaning you fix the context and some time in the future, it is mislabeled again?

Comment 4 Henry Kroll 2010-04-19 14:15:07 EDT

You are correct, Daniel. Moving to bug 568575 https://bugzilla.redhat.com/show_bug.cgi?id=568575

Note You need to log in before you can comment on or make changes to this bug.