Bug 474626 - ifup eth0 results in DHCP AVC (rewriting /etc/ntp.conf)
ifup eth0 results in DHCP AVC (rewriting /etc/ntp.conf)
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: dhcp (Show other bugs)
10
All Linux
low Severity medium
: ---
: ---
Assigned To: David Cantrell
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-12-04 12:42 EST by Pekka Savola
Modified: 2008-12-16 15:32 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-12-16 15:32:12 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Patch to fix dhclient-script to apply correct context to files (1.19 KB, text/plain)
2008-12-08 15:50 EST, Daniel Walsh
no flags Details

  None (edit)
Description Pekka Savola 2008-12-04 12:42:22 EST
Description of problem:
If I do '/ifup eth0', where eth0 is a DHCP interface, you get an AVC.

'Restorecon -R -v /etc' always produces the following after ifuping:

restorecon reset ./ntp.conf context system_u:object_r:dhcpc_state_t:s0->system_u:object_r:net_conf_t:s0

It seems to me that ifup (more specifically /sbin/dhclient-script, I'd guess), when its putting NTP servers learned through DHCP to ntp.conf, is resetting selinux context information when it rewrites ntp.conf?


Version-Release number of selected component (if applicable):
selinux-policy-3.5.13-26.fc10

How reproducible:
ifup eth0 on dhcp interface where ntp option is advertised.

 
Actual results:
Two AVCs are printed (one for ./ntp.conf, one for /etc/ntp.conf) even though contexts have been fixed.

Expected results:
No AVCs.

Additional info:

Summary:

SELinux is preventing ntpd (ntpd_t) "read" to ./ntp.conf (dhcpc_state_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by ntpd. It is not expected that this access is
required by ntpd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./ntp.conf,

restorecon -v './ntp.conf'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:ntpd_t
Target Context                system_u:object_r:dhcpc_state_t
Target Objects                ./ntp.conf [ file ]
Source                        ntpd
Source Path                   /usr/sbin/ntpd
Port                          <Unknown>
Host                          gap.netcore.fi
Source RPM Packages           ntp-4.2.4p5-2.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-26.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_file
Host Name                     gap.netcore.fi
Platform                      Linux gap.netcore.fi 2.6.27.5-117.fc10.i686 #1 SMP
                              Tue Nov 18 12:19:59 EST 2008 i686 athlon
Alert Count                   1
First Seen                    Thu 04 Dec 2008 07:26:28 PM EET
Last Seen                     Thu 04 Dec 2008 07:26:28 PM EET
Local ID                      a5bee7f3-7692-46d1-a828-09941f9a1c1f
Line Numbers                  

Raw Audit Messages            

node=gap.netcore.fi type=AVC msg=audit(1228411588.717:40079): avc:  denied  { read } for  pid=20245 comm="ntpd" name="ntp.conf" dev=md2 ino=1069749 scontext=unconfined_u:system_r:ntpd_t:s
0 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=file

node=gap.netcore.fi type=SYSCALL msg=audit(1228411588.717:40079): arch=40000003 syscall=5 success=yes exit=4 a0=b8042d5a a1=0 a2=1b6 a3=0 items=0 ppid=20244 pid=20245 auid=500 uid=0 gid=0
 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ntpd" exe="/usr/sbin/ntpd" subj=unconfined_u:system_r:ntpd_t:s0 key=(null)
Comment 1 Pekka Savola 2008-12-04 12:43:22 EST
The other AVC is like this:

Summary:

SELinux is preventing ntpd (ntpd_t) "getattr" to /etc/ntp.conf (dhcpc_state_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by ntpd. It is not expected that this access is
required by ntpd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /etc/ntp.conf,

restorecon -v '/etc/ntp.conf'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:ntpd_t
Target Context                system_u:object_r:dhcpc_state_t
Target Objects                /etc/ntp.conf [ file ]
Source                        ntpd
Source Path                   /usr/sbin/ntpd
Port                          <Unknown>
Host                          gap.netcore.fi
Source RPM Packages           ntp-4.2.4p5-2.fc10
Target RPM Packages           ntp-4.2.4p5-2.fc10
Policy RPM                    selinux-policy-3.5.13-26.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_file
Host Name                     gap.netcore.fi
Platform                      Linux gap.netcore.fi 2.6.27.5-117.fc10.i686 #1 SMP
                              Tue Nov 18 12:19:59 EST 2008 i686 athlon
Alert Count                   1
First Seen                    Thu 04 Dec 2008 07:26:28 PM EET
Last Seen                     Thu 04 Dec 2008 07:26:28 PM EET
Local ID                      4f147d5b-44e4-4d53-b793-81060e608145
Line Numbers                  

Raw Audit Messages            

node=gap.netcore.fi type=AVC msg=audit(1228411588.717:40080): avc:  denied  { getattr } for  pid=20245 comm="ntpd" path="/etc/ntp.conf" dev=md2 ino=1069749 scontext=unconfined_u:system_r:
ntpd_t:s0 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=file

node=gap.netcore.fi type=SYSCALL msg=audit(1228411588.717:40080): arch=40000003 syscall=197 success=yes exit=0 a0=4 a1=bfb5b728 a2=428ff4 a3=b8cd75b8 items=0 ppid=20244 pid=20245 auid=500
 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ntpd" exe="/usr/sbin/ntpd" subj=unconfined_u:system_r:ntpd_t:s0 key=(null)
Comment 2 Daniel Walsh 2008-12-08 15:50:40 EST
Created attachment 326183 [details]
Patch to fix dhclient-script to apply correct context to files

This is a problem of dhclient-script moving files back to /etc but not correcting the file context.  The attached patch will fix this problem.
Comment 3 David Cantrell 2008-12-16 15:32:12 EST
This problem does not exist with dhcp-4.0.0-33.fc10, the current version available for F-10.

Note You need to log in before you can comment on or make changes to this bug.