Bug 621050 - SELinux is preventing /sbin/dhclient access to a leaked /root/barak_net.sh file descriptor.
Summary: SELinux is preventing /sbin/dhclient access to a leaked /root/barak_net.sh fi...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy   
(Show other bugs)
Version: 13
Hardware: i386 Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
Whiteboard: setroubleshoot_trace_hash:62d41e40c58...
Depends On:
TreeView+ depends on / blocked
Reported: 2010-08-04 06:11 UTC by Vytas
Modified: 2010-08-04 19:08 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-08-04 19:08:40 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Vytas 2010-08-04 06:11:41 UTC

SELinux is preventing /sbin/dhclient access to a leaked /root/barak_net.sh file

Detailed Description:

[dhclient has a permissive type (dhcpc_t). This access was not denied.]

SELinux denied access requested by the dhclient command. It looks like this is
either a leaked descriptor or dhclient output was redirected to a file it is not
allowed to access. Leaks usually can be ignored since SELinux is just closing
the leak and reporting the error. The application does not use the descriptor,
so it will run properly. If this is a redirection, you will not get output in
the /root/barak_net.sh. You should generate a bugzilla on selinux-policy, and it
will get routed to the appropriate package. You can safely ignore this avc.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ

Additional Information:

Source Context                unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:admin_home_t:s0
Target Objects                /root/barak_net.sh [ file ]
Source                        dhclient
Source Path                   /sbin/dhclient
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           dhclient-4.1.1-22.P1.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-28.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   leaks
Host Name                     (removed)
Platform                      Linux aspire.one #1 SMP Fri
                              Jun 11 09:48:40 UTC 2010 i686 i686
Alert Count                   1
First Seen                    Mon 28 Jun 2010 06:21:31 PM EEST
Last Seen                     Mon 28 Jun 2010 06:21:31 PM EEST
Local ID                      37e457ce-dd25-4486-8058-b031f098ccee
Line Numbers                  

Raw Audit Messages            

node=aspire.one type=AVC msg=audit(1277738491.885:17): avc:  denied  { append } for  pid=2367 comm="dhclient" path="/root/barak_net.sh" dev=dm-0 ino=12182 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

node=aspire.one type=SYSCALL msg=audit(1277738491.885:17): arch=40000003 syscall=11 success=yes exit=0 a0=94d2b40 a1=94d26a8 a2=94bb260 a3=94d26a8 items=0 ppid=2104 pid=2367 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="dhclient" exe="/sbin/dhclient" subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null)

Hash String generated from  leaks,dhclient,dhcpc_t,admin_home_t,file,append
audit2allow suggests:

#============= dhcpc_t ==============
allow dhcpc_t admin_home_t:file append;

Comment 1 Vytas 2010-08-04 06:13:58 UTC
barak_net.sh here:
killall dhclient
ifconfig eth0 down
ifconfig eth0 hw ether MAC_here
ifconfig eth0 up
dhclient -v eth0

I use it for one of my net connections.

Comment 2 Daniel Walsh 2010-08-04 19:08:40 UTC
The problem is you have a script that is trying to append to a file in your /root dir.  If you moved this file to /var/log and ran restorecon on it, the code would work.

Or you can add custom policy

You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Note You need to log in before you can comment on or make changes to this bug.