Red Hat Bugzilla – Bug 620726
SELinux is preventing dhclient-script "execute" access on dhclient-exit-hooks.
Last modified: 2010-08-03 10:25:34 EDT
Summary: SELinux is preventing dhclient-script "execute" access on dhclient-exit-hooks. Detailed Description: SELinux denied access requested by dhclient-script. It is not expected that this access is required by dhclient-script and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:user_tmp_t:s0 Target Objects dhclient-exit-hooks [ file ] Source dhclient-script Source Path dhclient-script Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.7.19-39.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.33.6-147.fc13.x86_64 #1 SMP Tue Jul 6 22:32:17 UTC 2010 x86_64 x86_64 Alert Count 8 First Seen Tue 03 Aug 2010 12:20:09 PM CEST Last Seen Tue 03 Aug 2010 12:26:25 PM CEST Local ID 00505400-02ad-490a-a68c-2b9aec4c97ea Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1280831185.537:26244): avc: denied { execute } for pid=20042 comm="dhclient-script" name="dhclient-exit-hooks" dev=sda1 ino=12354 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file Hash String generated from catchall,dhclient-script,dhcpc_t,user_tmp_t,file,execute audit2allow suggests: #============= dhcpc_t ============== allow dhcpc_t user_tmp_t:file execute;
Original report follows: From: Yves Dorfsman Subject: weird pb with dhclient I'm having a really weird problem with dhclient, on Fedora 13, and wonder if you've got any idea: I create a link in /etc/dhcp: ls -l /etc/dhcp/dhclient-exit-hooks lrwxrwxrwx. 1 root root 33 Aug 2 08:39 /etc/dhcp/dhclient-exit-hooks -> /export/utils/dhclient-exit-hooks then: [ -x /etc/dhcp/dhclient-exit-hooks ] && echo yes yes But dhclient never execute it (with set -x): + '[' -x /etc/dhcp/dhclient-exit-hooks ']' + exit 0 If I replace '-x' with -'h', it works, but this make no sense to me since '-x' works with a symbolic link from the shell. Any idea? Thanks. -- Yves.
/sbin/dhclient-script runs hooks like this: ETCDIR="/etc/dhcp" if [ -x ${ETCDIR}/dhclient-exit-hooks ]; then . ${ETCDIR}/dhclient-exit-hooks fi When the /etc/dhcp/dhclient-exit-hooks is regular executable file everything works good. But when I move the file (e,g. to /tmp) and /etc/dhcp/dhclient-exit-hooks is symlink to that file [ -x ${ETCDIR}/dhclient-exit-hooks ] is evaluated as false in dhclient-script (even it's evaluated as true in shell). Moreover I get the above selinux alert. With selinux off (setenforce 0) everything works as expected. There's no problem in Fedora-12 and RHEL-6.
dhclient_t is not going to be allowed to execute something labeled tmp_t. If you labeled it bin_t it would probably work. chcon -t bin_t /tmp/dhclient.hook Not putting stuff in /tmp and having dhclient execute it is probably a bad idea.
(In reply to comment #3) > dhclient_t is not going to be allowed to execute something labeled tmp_t. If > you labeled it bin_t it would probably work. Yes it is, thanks. > chcon -t bin_t /tmp/dhclient.hook > > Not putting stuff in /tmp and having dhclient execute it is probably a bad > idea. That was for testing purposes ;-)