F9 dhcp client cannot backup resolv.conf, nor write ntp.conf

Chuck Anderson <cra@xxxxxxx> · Fri, 21 Mar 2008 15:42:42 -0400

It seems the policy needs an update to allow the dhclient-script to 
work properly:

type=1400 audit(1206128117.122:4): avc:  denied  { write } for  
pid=2475 comm="cp" name="resolv.conf.predhclient.eth3" dev=dm-0 
ino=26088 scontext=system_u:system_r:dhcpc_t:s0 
tcontext=unconfined_u:object_r:etc_t:s0 tclass=file
type=1400 audit(1206128117.122:5): avc:  denied  { unlink } for  
pid=2475 comm="cp" name="resolv.conf.predhclient.eth3" dev=dm-0 
ino=26088 scontext=system_u:system_r:dhcpc_t:s0 
tcontext=unconfined_u:object_r:etc_t:s0 tclass=file
type=1400 audit(1206128117.252:6): avc:  denied  { rename } for  
pid=2485 comm="mv" name="ntp.conf" dev=dm-0 ino=26089 
scontext=system_u:system_r:dhcpc_t:s0 
tcontext=unconfined_u:object_r:etc_t:s0 tclass=file
type=1400 audit(1206128117.255:7): avc:  denied  { write } for  
pid=2486 comm="dhclient-script" name="ntp.conf" dev=dm-0 ino=26089 
scontext=system_u:system_r:dhcpc_t:s0 
tcontext=unconfined_u:object_r:etc_t:s0 tclass=file
type=1400 audit(1206128117.255:8): avc:  denied  { write } for  
pid=2486 comm="dhclient-script" name="ntp.conf" dev=dm-0 ino=26089 
scontext=system_u:system_r:dhcpc_t:s0 
tcontext=unconfined_u:object_r:etc_t:s0 tclass=file
type=1400 audit(1206128117.256:9): avc:  denied  { append } for  
pid=2434 comm="dhclient-script" name="ntp.conf" dev=dm-0 ino=26089 
scontext=system_u:system_r:dhcpc_t:s0 
tcontext=unconfined_u:object_r:etc_t:s0 tclass=file
type=1400 audit(1206128117.257:10): avc:  denied  { append } for  
pid=2434 comm="dhclient-script" name="ntp.conf" dev=dm-0 ino=26089 
scontext=system_u:system_r:dhcpc_t:s0 
tcontext=unconfined_u:object_r:etc_t:s0 tclass=file
type=1400 audit(1206128117.257:11): avc:  denied  { append } for  
pid=2434 comm="dhclient-script" name="ntp.conf" dev=dm-0 ino=26089 
scontext=system_u:system_r:dhcpc_t:s0 
tcontext=unconfined_u:object_r:etc_t:s0 tclass=file
type=1400 audit(1206128117.257:12): avc:  denied  { append } for  
pid=2434 comm="dhclient-script" name="ntp.conf" dev=dm-0 ino=26089 
scontext=system_u:system_r:dhcpc_t:s0 
tcontext=unconfined_u:object_r:etc_t:s0 tclass=file
type=1400 audit(1206128117.258:13): avc:  denied  { append } for  
pid=2434 comm="dhclient-script" name="ntp.conf" dev=dm-0 ino=26089 
scontext=system_u:system_r:dhcpc_t:s0 
tcontext=unconfined_u:object_r:etc_t:s0 tclass=file

# audit2allow -R < audit.log

require {
        type var_run_t;
        type dhcpc_t;
        type hald_acl_t;
        type etc_t;
        class dir write;
        class file { write rename unlink append };
}

#============= dhcpc_t ==============
allow dhcpc_t etc_t:file { write rename unlink append };

#============= hald_acl_t ==============
allow hald_acl_t var_run_t:dir write;

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list