Re: AVC Denied Dhcp and Iptables.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Daniel J Walsh wrote:

piotreek wrote:
Hi guys i found some strange messages in my logs. It seams that selinux is blocking a dhcp an Iptables. I found similar post on group about DHCP but my messages are different.I am using FC7 latest policy update didn't resolve the problem. 
P.S I am using firestater as my firewall.
I believe you will need to write custom policy to make this work. You can simply add these rules using audit2allow. 

# grep dhcpc /var/log/audit/audit.log | audit2allow -M mydhcpc

# semodule -i mydhcpc.pp
Having dhcpc allowed to turn on/off firewall rules is of debatable security risk.
I'm noticing similar behavior with dhcp and ntp. It seems that for some reason the dhcp client is trying to play with ntp (probably because I define the ntp server in the dhcp server config) and failing:
type=AVC msg=audit(1184457984.239:75): avc: denied { remove_name } for pid=6370 comm="rm" name="ntpd" dev=sdc1 ino=1632966 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir type=AVC msg=audit(1184457984.239:75): avc: denied { unlink } for pid=6370 comm="rm" name="ntpd" dev=sdc1 ino=1632966 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file type=AVC msg=audit(1184457984.253:76): avc: denied { add_name } for pid=6377 comm="touch" name="ntpd" scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir type=AVC msg=audit(1184457984.253:76): avc: denied { create } for pid=6377 comm="touch" name="ntpd" scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file type=AVC msg=audit(1184457984.254:77): avc: denied { write } for pid=6377 comm="touch" name="ntpd" dev=sdc1 ino=1632966 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file
I can easily write a custom policy to allow this, but it feels like a common enough configuration (ntp server configured by dhcp) that there should be a global policy (or boolean?) to allow this to work. 

--Mike

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux