Summary: SELinux is preventing /bin/bash "getattr" access on /bin/hostname. Detailed Description: [56dhclient has a permissive type (devicekit_power_t). This access was not denied.] SELinux denied access requested by dhclient-script. It is not expected that this access is required by dhclient-script and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:devicekit_power_t:s0 Target Context system_u:object_r:hostname_exec_t:s0 Target Objects /bin/hostname [ file ] Source 56dhclient Source Path /bin/bash Port <Unknown> Host (removed) Source RPM Packages bash-4.1.7-3.fc14 Target RPM Packages hostname-3.04-2.fc14 Policy RPM selinux-policy-3.9.0-2.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.35.4-12.fc14.x86_64 #1 SMP Fri Aug 27 07:45:05 UTC 2010 x86_64 x86_64 Alert Count 2 First Seen Sun 05 Sep 2010 01:08:46 PM PDT Last Seen Sun 05 Sep 2010 01:08:47 PM PDT Local ID 05892e60-7c57-435e-aefa-4df990030cf5 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1283717327.142:61): avc: denied { getattr } for pid=2542 comm="dhclient-script" path="/bin/hostname" dev=dm-0 ino=395146 scontext=system_u:system_r:devicekit_power_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1283717327.142:61): arch=c000003e syscall=4 success=yes exit=0 a0=2860360 a1=7fff80c966d0 a2=7fff80c966d0 a3=39c5681ba0 items=0 ppid=2533 pid=2542 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dhclient-script" exe="/bin/bash" subj=system_u:system_r:devicekit_power_t:s0 key=(null) Hash String generated from catchall,56dhclient,devicekit_power_t,hostname_exec_t,file,getattr audit2allow suggests: #============= devicekit_power_t ============== allow devicekit_power_t hostname_exec_t:file getattr;
After resuming from suspend-to-ram, I get 49 SELinux alerts. Many appear to be networking related, so it could be because: I have removed NetworkManager from my system and am using the network init script to manage networking. Networking resumes as expected. setroubleshoot doesn't seem to have a way to generate a text summary listing all 49 alerts, so I will try to find another way. Maybe there is a possible enhancement ... $ chkconfig --list | grep -i net netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off $ rpm -qa 'Net*' '*net*' 'init*' 'dhc*' | sort dhclient-4.2.0-6.fc14.x86_64 gnome-netstatus-2.28.1-1.fc14.x86_64 initscripts-9.18-1.fc14.x86_64 libnetfilter_conntrack-0.0.101-1.fc13.x86_64 libnfnetlink-1.0.0-1.fc13.x86_64 net-tools-1.60-104.fc14.x86_64 NetworkManager-glib-0.8.1-6.git20100831.fc14.x86_64 system-config-network-1.6.1-1.fc14.noarch system-config-network-tui-1.6.1-1.fc14.noarch telnet-0.17-47.fc14.x86_64
Created attachment 443196 [details] last 49 avc records from audit.log [root@cedar audit]# grep avc audit.log | tail -49 > /tmp/audit-avc-49.1.log Quick and dirty ... :-)
Reproduced: 1. remove all se alerts 2. relabel on reboot 3. suspend to ram 4. resume 5. unlock display There are again 49 alerts. NB: This was a clean install ("/" formatted) using the F14-Alpha net installer CD.
Fixed in selinux-policy-3.9.3-1.fc14 I think almost all of these can be fixed with sysnet_domtrans_dhcpc(devicekit_power_t)
(In reply to comment #4) > Fixed in selinux-policy-3.9.3-1.fc14 > > I think almost all of these can be fixed with > > sysnet_domtrans_dhcpc(devicekit_power_t) Thanks, Dan.
selinux-policy-3.9.3-1.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.3-1.fc14
(In reply to comment #6) > selinux-policy-3.9.3-1.fc14 has been submitted as an update for Fedora 14. > https://admin.fedoraproject.org/updates/selinux-policy-3.9.3-1.fc14 This update eliminates all 49 alerts after suspending and resuming. Thanks!
Update karma please.
selinux-policy-3.9.3-1.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.3-1.fc14
selinux-policy-3.9.3-1.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.