Created attachment 358915 [details] patch Description of problem: RHEL 5 machine boots /var/run/* is deleted and in particular /var/run/utmp is removed and recreated/chmoded and chgrped. Hoever the security context is not set until the restorecond service starts. During that time the network service starts and networks that provide the nisdomain dhcp option will get the following avc denied messages. kernel: type=1400 audit(1249788594.546:7): avc: denied { read } for pid=3427 comm="runlevel" name="utmp" dev=tmpfs ino=16569 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file kernel: type=1400 audit(1249788594.546:8): avc: denied { read } for pid=3427 comm="runlevel" name="utmp" dev=tmpfs ino=16569 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file The fix is to get the context type set to initrc_var_run_t rather than init_var_run_t which is what rc.sysint creates the file as. Version-Release number of selected component (if applicable): initscripts-8.45.30-2 How reproducible: Steps to Reproduce: 1. install RHEL 5 with dhcp networking and selinux enforcing/permissive 2. setup dhcp to serve the nisdomain option (for dnsmasq it's "dhcp-option=40,$nisdomain" 3. boot system 4. check /var/log/messages or /var/log/audit/audit.log for avc denied errors like above Actual results: AVC errors in above problem description Expected results: /var/run/* contexts set correctly and no further avc denied errors. Additional info: This doesn't seem to break anything but since it produces unwanted avc errors it should be corrected.
Not quite correct, but close. Fixed upstream at: http://git.fedorahosted.org/git/?p=initscripts.git;a=commitdiff;h=9c489daad152a05c2d330f5cb92f49fadf45a084 Should be relatively easy to apply to a RHEL 5 code base.
This request was evaluated by Red Hat Product Management for inclusion, but this component is not scheduled to be updated in the current Red Hat Enterprise Linux release. If you would like this request to be reviewed for the next minor release, ask your support representative to set the next rhel-x.y flag to "?".
initscripts-8.95.1-1 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/initscripts-8.95.1-1
initscripts-8.95.1-1 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0075.html