Re: dhclient denial F-11

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/10/2009 03:58 AM, Paul Howarth wrote:
I get one of these every time my DHCP lease is renewed:

type=AVC msg=audit(1247181873.317:23522): avc: denied { create } for
pid=31499 comm="mv" name="yp.conf.predhclient.br0"
scontext=unconfined_u:system_r:dhcpc_t:s0
tcontext=system_u:object_r:net_conf_t:s0 tclass=file
type=SYSCALL msg=audit(1247181873.317:23522): arch=c000003e syscall=2
success=no exit=-13 a0=7fff9e36ebcc a1=c1 a2=180 a3=65726373662f7274
items=0 ppid=31485 pid=31499 auid=1012 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="mv" exe="/bin/mv"
subj=unconfined_u:system_r:dhcpc_t:s0 key=(null)

It originates from /etc/dhcp/dhclient.d/nis.sh in the ypbind package.

Paul..

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
That is a new one, looks like you started dhclient by hand, and it is running as unconfined_u:system_r:dhcpc_t:s0, But some where in the tool it is trying to create a file labeled system_u:object_r:net_conf_t:s0

unconfined_u creating a file with a user type of system_u is a constraint violation.

The mv command tries to maintain the context of the context of the
yp.conf.predhclient.br0 file which must have been created by dhclient when it was run as a service, so you get this denial.

So I guess we need to allow dhcpc_t the ability to change the user componant of a file.

Who said SELinux is not simple...  :^(

If you add the following in a module it should allow your app to work.


domain_obj_id_change_exemption(dhcpc_t)


Miroslav can you add this to sysnetwork.te for F10, F11.

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux