Summary: SELinux is preventing /sbin/ifconfig from using potentially mislabeled files if_inet6. Detailed Description: SELinux has denied the ifconfig access to potentially mislabeled files if_inet6. This means that SELinux will not allow httpd to use these files. If httpd should be allowed this access to these files you should change the file context to one of the following types, chroot_exec_t, bin_t, cert_t, httpd_t, lib_t, public_content_rw_t, httpd_bugzilla_htaccess_t, httpd_cobbler_htaccess_t, usr_t, mailman_data_t, httpd_apcupsd_cgi_htaccess_t, system_dbusd_var_lib_t, httpd_rotatelogs_exec_t, httpd_cvs_htaccess_t, httpd_git_htaccess_t, httpd_sys_htaccess_t, squirrelmail_spool_t, nagios_etc_t, nagios_log_t, sssd_public_t, httpd_keytab_t, httpd_prewikka_htaccess_t, cluster_conf_t, fonts_cache_t, httpd_exec_t, httpd_lock_t, httpd_log_t, httpd_rw_content, locale_t, httpd_unconfined_script_exec_t, krb5_conf_t, etc_t, fonts_t, proc_t, src_t, sysfs_t, abrt_var_run_t, krb5_keytab_t, httpd_ro_content, calamaris_www_t, httpd_config_t, httpd_cache_t, httpd_tmpfs_t, iso9660_t, pki_tps_etc_rw_t, abrt_t, sysctl_crypto_t, fail2ban_var_lib_t, lib_t, var_lib_t, udev_tbl_t, httpd_tmp_t, configfile, user_cron_spool_t, shell_exec_t, httpd_w3c_validator_htaccess_t, afs_cache_t, abrt_helper_exec_t, mysqld_etc_t, cvs_data_t, pki_ra_etc_rw_t, httpd_helper_exec_t, dbusd_etc_t, httpd_squirrelmail_t, textrel_shlib_t, httpd_php_exec_t, httpd_nagios_htaccess_t, ld_so_t, rpm_script_tmp_t, samba_var_t, pki_ra_var_lib_t, pki_ra_var_run_t, net_conf_t, public_content_t, anon_inodefs_t, sysctl_kernel_t, httpd_modules_t, pki_ra_log_t, etc_runtime_t, httpd_suexec_exec_t, application_exec_type, httpd_nutups_cgi_htaccess_t, mailman_cgi_exec_t, httpd_var_lib_t, httpd_var_run_t, gitosis_var_lib_t, ld_so_cache_t, httpd_squid_htaccess_t, httpd_munin_htaccess_t, pki_tps_var_lib_t, pki_tps_var_run_t, pki_tps_log_t, mailman_archive_t, httpd_awstats_htaccess_t, httpd_user_htaccess_t, httpd_cobbler_content_t, httpd_cvs_content_t, httpd_sys_content_t, httpd_sys_content_t, httpd_munin_script_exec_t, httpd_w3c_validator_script_exec_t, httpd_prewikka_content_ra_t, httpd_prewikka_content_rw_t, httpd_nagios_script_exec_t, httpd_user_script_exec_t, httpd_bugzilla_content_t, httpd_apcupsd_cgi_script_exec_t, httpd_awstats_content_ra_t, httpd_awstats_content_rw_t, httpd_squid_script_exec_t, httpd_bugzilla_script_exec_t, httpd_w3c_validator_content_ra_t, httpd_w3c_validator_content_rw_t, httpd_nutups_cgi_content_t, httpd_awstats_content_t, httpd_user_content_ra_t, httpd_user_content_rw_t, httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t, httpdcontent, httpd_sys_script_exec_t, httpd_prewikka_script_exec_t, httpd_git_script_exec_t, httpd_munin_content_ra_t, httpd_munin_content_rw_t, httpd_cvs_script_exec_t, root_t, httpd_bugzilla_content_ra_t, httpd_bugzilla_content_rw_t, httpd_nutups_cgi_script_exec_t, httpd_nagios_content_ra_t, httpd_nagios_content_rw_t, httpd_nagios_content_t, httpd_w3c_validator_content_t, httpd_sys_content_ra_t, httpd_sys_content_rw_t, httpd_sys_content_rw_t, httpd_cvs_content_ra_t, httpd_cvs_content_rw_t, httpd_git_content_ra_t, httpd_git_content_rw_t, httpd_cobbler_script_exec_t, httpd_nutups_cgi_content_ra_t, httpd_nutups_cgi_content_rw_t, httpd_git_content_t, httpd_user_content_t, httpd_squid_content_ra_t, httpd_squid_content_rw_t, httpd_prewikka_content_t, httpd_munin_content_t, httpd_squid_content_t, httpd_apcupsd_cgi_content_t, httpd_awstats_script_exec_t, httpd_apcupsd_cgi_content_ra_t, httpd_apcupsd_cgi_content_rw_t. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access. Allowing Access: If you want to change the file context of if_inet6 so that the httpd daemon can access it, you need to execute it using semanage fcontext -a -t FILE_TYPE 'if_inet6'. where FILE_TYPE is one of the following: chroot_exec_t, bin_t, cert_t, httpd_t, lib_t, public_content_rw_t, httpd_bugzilla_htaccess_t, httpd_cobbler_htaccess_t, usr_t, mailman_data_t, httpd_apcupsd_cgi_htaccess_t, system_dbusd_var_lib_t, httpd_rotatelogs_exec_t, httpd_cvs_htaccess_t, httpd_git_htaccess_t, httpd_sys_htaccess_t, squirrelmail_spool_t, nagios_etc_t, nagios_log_t, sssd_public_t, httpd_keytab_t, httpd_prewikka_htaccess_t, cluster_conf_t, fonts_cache_t, httpd_exec_t, httpd_lock_t, httpd_log_t, httpd_rw_content, locale_t, httpd_unconfined_script_exec_t, krb5_conf_t, etc_t, fonts_t, proc_t, src_t, sysfs_t, abrt_var_run_t, krb5_keytab_t, httpd_ro_content, calamaris_www_t, httpd_config_t, httpd_cache_t, httpd_tmpfs_t, iso9660_t, pki_tps_etc_rw_t, abrt_t, sysctl_crypto_t, fail2ban_var_lib_t, lib_t, var_lib_t, udev_tbl_t, httpd_tmp_t, configfile, user_cron_spool_t, shell_exec_t, httpd_w3c_validator_htaccess_t, afs_cache_t, abrt_helper_exec_t, mysqld_etc_t, cvs_data_t, pki_ra_etc_rw_t, httpd_helper_exec_t, dbusd_etc_t, httpd_squirrelmail_t, textrel_shlib_t, httpd_php_exec_t, httpd_nagios_htaccess_t, ld_so_t, rpm_script_tmp_t, samba_var_t, pki_ra_var_lib_t, pki_ra_var_run_t, net_conf_t, public_content_t, anon_inodefs_t, sysctl_kernel_t, httpd_modules_t, pki_ra_log_t, etc_runtime_t, httpd_suexec_exec_t, application_exec_type, httpd_nutups_cgi_htaccess_t, mailman_cgi_exec_t, httpd_var_lib_t, httpd_var_run_t, gitosis_var_lib_t, ld_so_cache_t, httpd_squid_htaccess_t, httpd_munin_htaccess_t, pki_tps_var_lib_t, pki_tps_var_run_t, pki_tps_log_t, mailman_archive_t, httpd_awstats_htaccess_t, httpd_user_htaccess_t, httpd_cobbler_content_t, httpd_cvs_content_t, httpd_sys_content_t, httpd_sys_content_t, httpd_munin_script_exec_t, httpd_w3c_validator_script_exec_t, httpd_prewikka_content_ra_t, httpd_prewikka_content_rw_t, httpd_nagios_script_exec_t, httpd_user_script_exec_t, httpd_bugzilla_content_t, httpd_apcupsd_cgi_script_exec_t, httpd_awstats_content_ra_t, httpd_awstats_content_rw_t, httpd_squid_script_exec_t, httpd_bugzilla_script_exec_t, httpd_w3c_validator_content_ra_t, httpd_w3c_validator_content_rw_t, httpd_nutups_cgi_content_t, httpd_awstats_content_t, httpd_user_content_ra_t, httpd_user_content_rw_t, httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t, httpdcontent, httpd_sys_script_exec_t, httpd_prewikka_script_exec_t, httpd_git_script_exec_t, httpd_munin_content_ra_t, httpd_munin_content_rw_t, httpd_cvs_script_exec_t, root_t, httpd_bugzilla_content_ra_t, httpd_bugzilla_content_rw_t, httpd_nutups_cgi_script_exec_t, httpd_nagios_content_ra_t, httpd_nagios_content_rw_t, httpd_nagios_content_t, httpd_w3c_validator_content_t, httpd_sys_content_ra_t, httpd_sys_content_rw_t, httpd_sys_content_rw_t, httpd_cvs_content_ra_t, httpd_cvs_content_rw_t, httpd_git_content_ra_t, httpd_git_content_rw_t, httpd_cobbler_script_exec_t, httpd_nutups_cgi_content_ra_t, httpd_nutups_cgi_content_rw_t, httpd_git_content_t, httpd_user_content_t, httpd_squid_content_ra_t, httpd_squid_content_rw_t, httpd_prewikka_content_t, httpd_munin_content_t, httpd_squid_content_t, httpd_apcupsd_cgi_content_t, httpd_awstats_script_exec_t, httpd_apcupsd_cgi_content_ra_t, httpd_apcupsd_cgi_content_rw_t. You can look at the httpd_selinux man page for additional information. Additional Information: Source Context unconfined_u:system_r:httpd_t:s0 Target Context system_u:object_r:proc_net_t:s0 Target Objects if_inet6 [ file ] Source ifconfig Source Path /sbin/ifconfig Port <Unknown> Host (removed) Source RPM Packages net-tools-1.60-99.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-110.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name httpd_bad_labels Host Name (removed) Platform Linux ipaserver.ipanetwork.org 2.6.32.11-99.fc12.i686.PAE #1 SMP Mon Apr 5 16:15:03 EDT 2010 i686 i686 Alert Count 7 First Seen Fri 30 Apr 2010 03:32:20 PM EST Last Seen Fri 30 Apr 2010 03:32:20 PM EST Local ID c2634f89-6035-4413-9617-0756c7a0ec9b Line Numbers Raw Audit Messages node=ipaserver.ipanetwork.org type=AVC msg=audit(1272605540.29:35537): avc: denied { read } for pid=16965 comm="ifconfig" name="if_inet6" dev=proc ino=4026532078 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file node=ipaserver.ipanetwork.org type=SYSCALL msg=audit(1272605540.29:35537): arch=40000003 syscall=5 success=no exit=-13 a0=8054e2e a1=0 a2=1b6 a3=805489d items=0 ppid=16964 pid=16965 auid=500 uid=48 gid=484 euid=48 suid=48 fsuid=48 egid=484 sgid=484 fsgid=484 tty=(none) ses=1 comm="ifconfig" exe="/sbin/ifconfig" subj=unconfined_u:system_r:httpd_t:s0 key=(null) Hash String generated from httpd_bad_labels,ifconfig,httpd_t,proc_net_t,file,read audit2allow suggests: #============= httpd_t ============== allow httpd_t proc_net_t:file read;
Dan, I haven't done SELinux bug reports this way before, so let me know if you want them submitted differently or whatever. I've just installed F12 as a VM in Sun VirtualBox and have installed and configured an ipa server. Both times I added a user (ipa user-add) I got this AVC denial. I haven't modified the policy at all (yet).
Lost this bug in the flood. Do you still have this problem?
Dan, I've actually moved over to using VMWare instead of Sun Virtual Box and don't recall seeing this particular issue (doesn't mean it's not there...). Perhaps close for now and if it comes up again (also shortly moving to F13 and with IPA updates) I'll file a new report.
You ought to try kvm...