Bug 528398 - SELinux is preventing /sbin/dhclient "getcap" access.
Summary: SELinux is preventing /sbin/dhclient "getcap" access.
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:b032246dc6d...
: 528399 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-10-12 00:37 UTC by Thomas Moschny
Modified: 2009-10-12 20:55 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-10-12 20:55:49 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Thomas Moschny 2009-10-12 00:37:57 UTC 
Zusammenfassung:

SELinux is preventing /sbin/dhclient "getcap" access.

Detaillierte Beschreibung:

SELinux denied access requested by dhclient. It is not expected that this access
is required by dhclient and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Zugriff erlauben:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Zusätzliche Informationen:

Quellkontext                  unconfined_u:system_r:dhcpc_t:s0
Zielkontext                   unconfined_u:system_r:dhcpc_t:s0
Zielobjekte                   None [ process ]
Quelle                        dhclient
Quellen-Pfad                  /sbin/dhclient
Port                          <Unbekannt>
Host                          (removed)
Quellen-RPM-Pakete            dhclient-4.1.0p1-11.fc12
Ziel-RPM-Pakete               
RPM-Richtlinie                selinux-policy-3.6.32-24.fc12
SELinux aktiviert             True
Richtlinienversion            targeted
MLS aktiviert                 True
Enforcing-Modus               Enforcing
Plugin-Name                   catchall
Hostname                      (removed)
Plattform                     Linux (removed)
                              2.6.31.1-56.fc12.x86_64 #1 SMP Tue Sep 29 16:16:22
                              EDT 2009 x86_64 x86_64
Anzahl der Alarme             3
Zuerst gesehen                Mo 12 Okt 2009 06:28:49 CEST
Zuletzt gesehen               Mo 12 Okt 2009 02:37:07 CEST
Lokale ID                     28c67916-e4be-469f-ba84-828bd5401639
Zeilennummern                 

Raw-Audit-Meldungen           

node=(removed) type=AVC msg=audit(1255307827.229:29787): avc:  denied  { getcap } for  pid=6175 comm="dhclient" scontext=unconfined_u:system_r:dhcpc_t:s0 tcontext=unconfined_u:system_r:dhcpc_t:s0 tclass=process

node=(removed) type=SYSCALL msg=audit(1255307827.229:29787): arch=c000003e syscall=125 success=no exit=-13 a0=7f7ebbbe26f4 a1=7f7ebbbe26fc a2=1 a3=7fff62964f70 items=0 ppid=6118 pid=6175 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="dhclient" exe="/sbin/dhclient" subj=unconfined_u:system_r:dhcpc_t:s0 key=(null)



Hash String generated from  selinux-policy-3.6.32-24.fc12,catchall,dhclient,dhcpc_t,dhcpc_t,process,getcap
audit2allow suggests:

#============= dhcpc_t ==============
allow dhcpc_t self:process getcap;
Comment 1 Daniel Walsh 2009-10-12 13:33:11 UTC 
Looks like this should be in this policy.  Could you make sure your policy successfully installed.

yum reinstall selinux-policy-targeted


Make sure nothing breaks on the install.
Comment 2 Daniel Walsh 2009-10-12 13:33:47 UTC 
*** Bug 528399 has been marked as a duplicate of this bug. ***
Comment 3 Thomas Moschny 2009-10-12 20:55:49 UTC 
Ok, after reinstalling the policy and relabeling everything, the alert is not shown anymore.
Note You need to log in before you can comment on or make changes to this bug.