Re: AVCs on bringing up a network device via hotplug.

Russell Coker <russell@xxxxxxxxxxxx> · Sat, 13 Mar 2004 16:39:59 +1100

On Fri, 12 Mar 2004 02:38, Aleksey Nogin <aleksey@xxxxxxxxx> wrote:
> audit(1079019200.094:0): avc:  denied  { net_admin } for  pid=18206
> exe=/sbin/nameif capability=12 scontext=system_u:system_r:hotplug_t
> tcontext=system_u:system_r:hotplug_t tclass=capability

What happens if you give /sbin/nameif the type ifconfig_exec_t?

> audit(1079019200.519:0): avc:  denied  { getattr } for  pid=18144
> exe=/bin/bash path=/etc/dhclient.conf dev=hda2 ino=231943
> scontext=system_u:system_r:hotplug_t
> tcontext=system_u:object_r:dhcp_etc_t tclass=file
> audit(1079019200.521:0): avc:  denied  { write } for  pid=18221
> exe=/bin/bash name=etc dev=hda2 ino=228929
> scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:etc_t
> tclass=dir
> audit(1079019200.521:0): avc:  denied  { add_name } for  pid=18221
> exe=/bin/bash name=dhclient-wvlan0.conf.ifupnew
> scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:etc_t
> tclass=dir
> audit(1079019200.521:0): avc:  denied  { create } for  pid=18221
> exe=/bin/bash name=dhclient-wvlan0.conf.ifupnew
> scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:etc_t
> tclass=file

It looks like it's replacing the dhclient.conf file.  We don't want to give 
hotplug write access to etc_t (/etc/passwd), we could do the following:
file_type_auto_trans(hotplug_t, etc_t, dhcp_etc_t, { file lnk_file })

But then we might have the same problem with hotplug wanting to write some 
other type of file.

Could we use a /etc/dhcpc/ directory?

> audit(1079019200.778:0): avc:  denied  { dac_override } for  pid=18241
> exe=/bin/bash capability=1 scontext=system_u:system_r:dhcpc_t
> tcontext=system_u:system_r:dhcpc_t tclass=capability
> audit(1079019203.873:0): avc:  denied  { fsetid } for  pid=18339
> exe=/bin/chmod capability=4 scontext=system_u:system_r:dhcpc_t
> tcontext=system_u:system_r:dhcpc_t tclass=capability

I've already added dac_override to my tree, I'm still cnsidering fsetid (see 
my message in the other thread).

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page