Description of problem: After I upgraded -lab4 to the latest rawhide and rebooted into the newest kernel, the network failed to come up, leaving me unable to log in to the box. Rebooting with selinux=0 let the network come up so I could log in Version-Release number of selected component (if applicable): selinux-policy-3.9.7-4.fc15.noarch How reproducible: Always Steps to Reproduce: 1.Upgrade to latest rawhide 2.reboot 3.Try to ssh in. Actual results: No network Expected results: Working network. Additional info: When I booted with enforcing=0, I found the following in /var/log/messages: Oct 21 16:23:10 fenlason-lab4 kernel: [ 32.312530] type=1400 audit(1287692585.834:4): avc: denied { search } for pid=1126 comm="dhclient" name="pki" dev=sda2 ino=1632045 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir Oct 21 16:23:10 fenlason-lab4 kernel: [ 32.343260] type=1400 audit(1287692585.865:5): avc: denied { read } for pid=1126 comm="dhclient" name="openssl.cnf" dev=sda2 ino=1632289 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file Oct 21 16:23:10 fenlason-lab4 kernel: [ 32.352126] type=1400 audit(1287692585.874:6): avc: denied { open } for pid=1126 comm="dhclient" name="openssl.cnf" dev=sda2 ino=1632289 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file Oct 21 16:23:10 fenlason-lab4 kernel: [ 32.361950] type=1400 audit(1287692585.883:7): avc: denied { getattr } for pid=1126 comm="dhclient" path="/etc/pki/tls/openssl.cnf" dev=sda2 ino=1632289 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file Oct 21 16:23:10 fenlason-lab4 kernel: [ 34.160592] type=1400 audit(1287692587.682:8): avc: denied { getattr } for pid=1149 comm="dhclient-script" path="/etc/dhcp/dhclient.d/nis.sh" dev=sda2 ino=2156895 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file Oct 21 16:23:10 fenlason-lab4 kernel: [ 34.171083] type=1400 audit(1287692587.693:9): avc: denied { read } for pid=1149 comm="dhclient-script" name="nis.sh" dev=sda2 ino=2156895 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file Oct 21 16:23:10 fenlason-lab4 kernel: [ 34.181720] type=1400 audit(1287692587.703:10): avc: denied { open } for pid=1149 comm="dhclient-script" name="nis.sh" dev=sda2 ino=2156895 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
Me too, but strangely only on i686 rawhide and not x86_64, both with selinux-policy-3.9.7-4 and dhclient-4.2.0-15
Let's clean up some of these AVC messages. Not sure why but '/etc/dhcp/dhclient.d/nis.sh' is mislabeled. # matchpathcon /etc/dhcp/dhclient.d/nis.sh /etc/dhcp/dhclient.d/nis.sh system_u:object_r:bin_t:s0 So execute # restorecon -R -v /etc/dhcp/dhclient.d/ Then could you try to re-test it and make sure that the label is not changed using # ls -lZ /etc/dhcp/dhclient.d/ Thanks.
Fixed in selinux-policy-3.9.7-5.fc15
*** Bug 645969 has been marked as a duplicate of this bug. ***