Description of problem: Not yet in F18 but the NetworkManager in git has updates to support dynamic DNS with DHCPv6. This required writing a IPv6 configuration file for dhclient and having it write files also. On F18 (and F17 for that matter), I am running NetworkManager as of the git on 30 Nov 2012 to get the new DHCPV6 support. The following needs to be added to SElinux policy: module NM4pol 1.0; require { type NetworkManager_var_lib_t; type dhcpc_t; class dir { write add_name }; class file { write create }; } # fixup for NM changing file location with dhclient # Wed 10 Oct 2012 04:25:07 AM EDT #============= dhcpc_t ============== #!!!! The source type 'dhcpc_t' can write to a 'dir' of the following types: # dhcpc_var_run_t, net_conf_t, dhcpc_tmp_t, etc_t, tmp_t, dhcp_state_t, # dhcpc_state_t, var_run_t, root_t #!!!! This avc is allowed in the current policy allow dhcpc_t NetworkManager_var_lib_t:dir { write add_name }; allow dhcpc_t NetworkManager_var_lib_t:file write; allow dhcpc_t NetworkManager_var_lib_t:file create;
Gene, could you attach AVC msgs?
Created attachment 664592 [details] grep dhclient audit.log
I am the individual who created the NetworkManager patches to implement dynamic DNS for DHCPv6. During my testing, I found that some SElinux policies needed updating so that things would work. The policy changes shown above are the end result but doses not show the steps along the way ... update the policy, try again, update the policy, try again. Similarly, the attached audit.log does not show the full story. If needed, I can virtually create the separate steps and provide that info. Here are the initial three steps: ------------------------------ module NM1pol 1.0; require { type NetworkManager_var_lib_t; type dhcpc_t; class dir write; } #============= dhcpc_t ============== #!!!! The source type 'dhcpc_t' can write to a 'dir' of the following types: # dhcpc_var_run_t, net_conf_t, dhcpc_tmp_t, etc_t, tmp_t, dhcp_state_t, dhcpc_state_t, var_run_t, root_t allow dhcpc_t NetworkManager_var_lib_t:dir write; ------------------------------- ---------------------------------- module NM2pol 1.0; require { type NetworkManager_var_lib_t; type dhcpc_t; class dir { write add_name }; } #============= dhcpc_t ============== allow dhcpc_t NetworkManager_var_lib_t:dir add_name; #!!!! This avc is allowed in the current policy allow dhcpc_t NetworkManager_var_lib_t:dir write; ---------------------------------------- ------------------------------------------- module NM3pol 1.0; require { type NetworkManager_var_lib_t; type dhcpc_t; class dir { write add_name }; class file create; } #============= dhcpc_t ============== #!!!! This avc is allowed in the current policy allow dhcpc_t NetworkManager_var_lib_t:dir { write add_name }; allow dhcpc_t NetworkManager_var_lib_t:file create; ----------------------------------------------- Remember, it takes a NetworkManager from git dated 30 November or later ... it might even be a bit earlier but certainly not what is shipping with F18. It might be a little effort but I can easily go through the steps again (naturally, using qemu-kvm).
Created attachment 664598 [details] all four steps -- grep dhclient audit,log
I redid everything virtually on F18-TC2+ the attached auditlog has all "steps". Here are the results: ------------------------------------ module dhc-1 1.0; require { type NetworkManager_var_lib_t; type dhcpc_t; class dir write; } #============= dhcpc_t ============== #!!!! The source type 'dhcpc_t' can write to a 'dir' of the following types: # net_conf_t, systemd_passwd_var_run_t, dhcpc_tmp_t, etc_t, tmp_t, dhcp_state_t, dhcpc_state_t, var_run_t, dhcpc_var_run_t allow dhcpc_t NetworkManager_var_lib_t:dir write; --------------------------------------------------- module dhc-2 1.0; require { type NetworkManager_var_lib_t; type dhcpc_t; class dir { write add_name }; } #============= dhcpc_t ============== allow dhcpc_t NetworkManager_var_lib_t:dir add_name; #!!!! This avc is allowed in the current policy allow dhcpc_t NetworkManager_var_lib_t:dir write; ----------------------------------------------- module dhc-3 1.0; require { type NetworkManager_var_lib_t; type dhcpc_t; class dir { write add_name }; class file create; } #============= dhcpc_t ============== #!!!! This avc is allowed in the current policy allow dhcpc_t NetworkManager_var_lib_t:dir { write add_name }; allow dhcpc_t NetworkManager_var_lib_t:file create; --------------------------------------- module dhc-4 1.0; require { type NetworkManager_var_lib_t; type dhcpc_t; class dir { write add_name }; class file { write create }; } #============= dhcpc_t ============== #!!!! This avc is allowed in the current policy allow dhcpc_t NetworkManager_var_lib_t:dir { write add_name }; allow dhcpc_t NetworkManager_var_lib_t:file write; #!!!! This avc is allowed in the current policy allow dhcpc_t NetworkManager_var_lib_t:file create; ================================================= That is it folks!
Gene, thank you. Fixed in selinux-policy-3.11.1-65.fc18
Thanks Gene & Miroslav.
Actually added to selinux-policy-3.11.1-66.fc18
selinux-policy-3.11.1-66.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-66.fc18
selinux-policy-3.11.1-66.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.