Description of problem: Shouldn't /etc/hosts be in /etc/selinux/restorecond.conf? I don't have it here and when I have scripts in /etc/NetworkManager/dispatcher.d (of my own) which are mangling /etc/hosts according to my needs, I get SELinux context of /etc/hosts hosed: [matej@viklef ~]$ sudo restorecon -v -R /etc/hosts /sbin/restorecon reset /etc/hosts context system_u:object_r:etc_runtime_t:s0->system_u:object_r:net_conf_t:s0 I have to fix the SELinux context after I got this AVC denial message: Souhrn: SELinux is preventing sudo (staff_sudo_t) "read" to ./hosts (etc_runtime_t). Podrobný popis: [SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena kvůli uvolněnému režimu.] SELinux denied access requested by sudo. It is not expected that this access is required by sudo and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./hosts, restorecon -v './hosts' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Další informace: Kontext zdroje staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 Kontext cíle system_u:object_r:etc_runtime_t:s0 Objekty cíle ./hosts [ file ] Zdroj sudo Cesta zdroje /usr/bin/sudo Port <Neznámé> Počítač viklef.ceplovi.cz RPM balíčky zdroje sudo-1.6.9p17-5.fc10 RPM balíčky cíle RPM politiky selinux-policy-3.5.13-41.fc10 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Permissive Název zásuvného modulu catchall_file Název počítače viklef.ceplovi.cz Platforma Linux viklef.ceplovi.cz 2.6.27.12-170.2.5.fc10.x86_64 #1 SMP Wed Jan 21 01:33:24 EST 2009 x86_64 x86_64 Počet upozornění 4 Poprvé viděno St 4. únor 2009, 08:01:50 CET Naposledy viděno St 4. únor 2009, 08:02:27 CET Místní ID a656d322-c54d-4cc9-85df-a4e9909aaefa Čísla řádků Původní zprávy auditu node=viklef.ceplovi.cz type=AVC msg=audit(1233730947.501:99): avc: denied { read } for pid=11175 comm="sudo" name="hosts" dev=dm-0 ino=197823 scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file node=viklef.ceplovi.cz type=SYSCALL msg=audit(1233730947.501:99): arch=c000003e syscall=2 success=yes exit=5 a0=7fdac60f2c10 a1=80000 a2=1b6 a3=7fdacafdc7a0 items=0 ppid=11129 pid=11175 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=pts2 ses=2 comm="sudo" exe="/usr/bin/sudo" subj=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 key=(null) Version-Release number of selected component (if applicable): policycoreutils-2.0.57-14.fc10.x86_64 How reproducible: 100% with my scripts after every change in network
Add a restorecon /etc/hosts to your scripts.