Bug 497839 - lots of dnsmasq selinux alerts
Summary: lots of dnsmasq selinux alerts
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: F11Target
TreeView+ depends on / blocked
 
Reported: 2009-04-27 14:07 UTC by Peter Robinson
Modified: 2009-04-27 14:30 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-04-27 14:12:07 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Peter Robinson 2009-04-27 14:07:37 UTC 
I'm seeing alot of these alerts (166 in a couple of days) when running in enforcing mode on F11/rawhide latest.


Summary:

SELinux is preventing the dnsmasq from using potentially mislabeled files
(resolv.conf).

Detailed Description:

SELinux has denied dnsmasq access to potentially mislabeled file(s)
(resolv.conf). This means that SELinux will not allow dnsmasq to use these
files. It is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem is that
the files end up with the wrong file context which confined applications are not
allowed to access.

Allowing Access:

If you want dnsmasq to access this files, you need to relabel them using
restorecon -v 'resolv.conf'. You might want to relabel the entire directory
using restorecon -R -v ''.

Additional Information:

Source Context                system_u:system_r:dnsmasq_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                resolv.conf [ file ]
Source                        dnsmasq
Source Path                   /usr/sbin/dnsmasq
Port                          <Unknown>
Host                          neo
Source RPM Packages           dnsmasq-2.46-2.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-9.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     neo
Platform                      Linux neo 2.6.29.1-102.fc11.x86_64 #1 SMP Mon Apr
                              20 15:33:38 EDT 2009 x86_64 x86_64
Alert Count                   160
First Seen                    Sat 18 Apr 2009 11:56:19 AM BST
Last Seen                     Mon 27 Apr 2009 02:47:04 PM BST
Local ID                      736f1fa9-9335-42db-b12b-621b64485329
Line Numbers                  

Raw Audit Messages            

node=neo type=AVC msg=audit(1240840024.798:85): avc:  denied  { read } for  pid=2037 comm="dnsmasq" name="resolv.conf" dev=dm-0 ino=9783 scontext=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file

node=neo type=SYSCALL msg=audit(1240840024.798:85): arch=c000003e syscall=2 success=no exit=-13 a0=42051e a1=0 a2=1b6 a3=238 items=0 ppid=1 pid=2037 auid=4294967295 uid=99 gid=40 euid=99 suid=99 fsuid=99 egid=40 sgid=40 fsgid=40 tty=(none) ses=4294967295 comm="dnsmasq" exe="/usr/sbin/dnsmasq" subj=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2009-04-27 14:12:07 UTC 
You have a mislabeled resolv.conf file.  Looks like someone mv'd it from a users home directory.

restorecon /etv/resolv.conf

Will fix.
Comment 2 Peter Robinson 2009-04-27 14:30:34 UTC 
Ah, cool. I think I had to edit it at some point because NetworkManager munged it.
Note You need to log in before you can comment on or make changes to this bug.