Re: AVC Denied Dhcp and Iptables.

[Daniel J Walsh <dwalsh@xxxxxxxxxx>]

piotreek wrote:
> Hi guys i found some strange messages in my logs. It seams that 
> selinux is blocking a dhcp  an Iptables.
> I found similar post on group about DHCP but my messages are 
> different.I am using FC7 latest policy update didn't resolve the problem.
> P.S I am using firestater as my firewall.
I believe you will need to write custom policy to make this work.  You 
can simply add these rules using audit2allow.

# grep dhcpc /var/log/audit/audit.log | audit2allow -M mydhcpc

# semodule -i mydhcpc.pp

Having dhcpc allowed to turn on/off firewall rules is of debatable 
security risk.
> Have a look
>
>  Jun  7 08:08:54 c79-70 kernel: audit(1181196527.475:4): avc:  denied  
> { execute } for  pid=1775 comm="sh" name="iptables" dev=sdb1 
> ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
> Jun  7 08:08:54 c79-70 kernel: audit(1181196527.475:5): avc:  denied  
> { getattr } for  pid=1775 comm="sh" name="iptables" dev=sdb1 
> ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
> Jun  7 08:08:54 c79-70 kernel: audit(1181196527.475:6): avc:  denied  
> { getattr } for  pid=1775 comm="sh" name="iptables" dev=sdb1 
> ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
> Jun  7 08:08:54 c79-70 kernel: audit(1181196527.475:7): avc:  denied  
> { execute } for  pid=1776 comm="sh" name="iptables" dev=sdb1 
> ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
> Jun  7 08:08:54 c79-70 kernel: audit(1181196527.475:8): avc:  denied  
> { getattr } for  pid=1776 comm="sh" name="iptables" dev=sdb1 
> ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
> Jun  7 08:08:54 c79-70 kernel: audit(1181196527.475:9): avc:  denied  
> { getattr } for  pid=1776 comm="sh" name="iptables" dev=sdb1 
> ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
> Jun  7 08:08:54 c79-70 kernel: audit(1181196527.475:10): avc:  denied  
> { execute } for  pid=1778 comm="sh" name="iptables" dev=sdb1 
> ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
> Jun  7 08:08:54 c79-70 kernel: audit(1181196527.475:11): avc:  denied  
> { getattr } for  pid=1778 comm="sh" name="iptables" dev=sdb1 
> ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
> Jun  7 08:08:54 c79-70 kernel: audit(1181196527.475:12): avc:  denied  
> { getattr } for  pid=1778 comm="sh" name="iptables" dev=sdb1 
> ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 
> tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
> Jun  7 08:08:54 c79-70 kernel: audit(1181196527.975:13): 
> audit_pid=1863 old=0 by auid=4294967295 subj=system_u:system_r:auditd_t:s0
> Greatings Peter
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list