Summary: SELinux is preventing /bin/bash "write" access. Detailed Description: SELinux denied access requested by dhclient-script. It is not expected that this access is required by dhclient-script and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 Target Context system_u:object_r:sysctl_net_t:s0 Target Objects None [ file ] Source dhclient-script Source Path /bin/bash Port <Unknown> Host (removed) Source RPM Packages bash-4.0.35-2.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-78.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.31.12-174.2.3.fc12.i686.PAE #1 SMP Mon Jan 18 20:06:44 UTC 2010 i686 i686 Alert Count 4 First Seen Tue 02 Feb 2010 09:48:40 PM HKT Last Seen Thu 04 Feb 2010 09:58:20 PM HKT Local ID 91a42de2-08e5-48a8-89c1-b12e4817ad05 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1265291900.244:16): avc: denied { write } for pid=1694 comm="dhclient-script" scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1265291900.244:16): arch=40000003 syscall=5 success=no exit=-13 a0=88a86d0 a1=8201 a2=0 a3=ffffffff items=0 ppid=1677 pid=1694 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="dhclient-script" exe="/bin/bash" subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null) Hash String generated from selinux-policy-3.6.32-78.fc12,catchall,dhclient-script,dhcpc_t,sysctl_net_t,file,write audit2allow suggests: #============= dhcpc_t ============== allow dhcpc_t sysctl_net_t:file write;
This looks like a leak. /bin/bash and dhclient-script would not write to this. Which application are you using to bring up your network?
I should have written a script /etc/dhcp/dhclient-eth1-up-hooks which should run whenever dhclient update the ip. This in turn run a script that contain iptables command to setup my firewall, extracts:- ... $IPTABLES -A INPUT -p udp -d $EXTIP --dport 4500 -j ACCEPT $IPTABLES -A INPUT -p 50 -d $EXTIP -j ACCEPT $IPTABLES -A INPUT -p 51 -d $EXTIP -j ACCEPT ... Hope this help. paul
Does everything work other then generating this AVC message?
No. Iptables command was denied... e.g. ... /etc/rc.firewall-iptables-stronger_P226g_f13: line 49: /sbin/iptables: Permission denied /etc/rc.firewall-iptables-stronger_P226g_f13: line 50: /sbin/iptables: Permission denied /etc/rc.firewall-iptables-stronger_P226g_f13: line 52: /sbin/iptables: Permission denied /etc/rc.firewall-iptables-stronger_P226g_f13: line 54: /sbin/iptables: Permission denied
To get this to work, you need to add a local policy module cat > mydhcpc.te << _EOF policy_module(mydhcp, 1.0) require { type dhcpc_t; } iptables_domtrans(dhcpc_t) __EOF make -f /usr/share/selinux/devel/Makefile semodule -i mydhcpc.pp Which will allow your configuration to work.