On 07/10/2009 09:03 AM, Paul Howarth wrote:
On 10/07/09 13:50, Daniel J Walsh wrote:
On 07/10/2009 03:58 AM, Paul Howarth wrote:
I get one of these every time my DHCP lease is renewed:
type=AVC msg=audit(1247181873.317:23522): avc: denied { create } for
pid=31499 comm="mv" name="yp.conf.predhclient.br0"
scontext=unconfined_u:system_r:dhcpc_t:s0
tcontext=system_u:object_r:net_conf_t:s0 tclass=file
type=SYSCALL msg=audit(1247181873.317:23522): arch=c000003e syscall=2
success=no exit=-13 a0=7fff9e36ebcc a1=c1 a2=180 a3=65726373662f7274
items=0 ppid=31485 pid=31499 auid=1012 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="mv" exe="/bin/mv"
subj=unconfined_u:system_r:dhcpc_t:s0 key=(null)
It originates from /etc/dhcp/dhclient.d/nis.sh in the ypbind package.
Paul..
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
That is a new one, looks like you started dhclient by hand, and it is
running as unconfined_u:system_r:dhcpc_t:s0, But some where in the tool
it is trying to create a file labeled system_u:object_r:net_conf_t:s0
unconfined_u creating a file with a user type of system_u is a
constraint violation.
The mv command tries to maintain the context of the context of the
yp.conf.predhclient.br0 file which must have been created by dhclient
when it was run as a service, so you get this denial.
So I guess we need to allow dhcpc_t the ability to change the user
componant of a file.
Who said SELinux is not simple... :^(
I seem to have a lot of processes like this:
# ps uaxZ|grep unconfined_u:system_r:
unconfined_u:system_r:auditd_t:s0 root 701 0.0 0.0 27464 428 ? S<sl
Jun24 0:00 auditd
unconfined_u:system_r:audisp_t:s0 root 703 0.0 0.0 81920 420 ? S<sl
Jun24 0:00 /sbin/audispd
unconfined_u:system_r:audisp_t:s0 root 704 0.0 0.0 97764 648 ? S< Jun24
0:00 /usr/sbin/sedispatch
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 5678 0.0 0.0
89008 788 pts/0 S+ 14:00 0:00 grep unconfined_u:system_r:
unconfined_u:system_r:ntpd_t:s0 ntp 5700 0.0 0.0 58984 696 ? Ss Jun23
0:04 ntpd -u ntp:ntp -p /var/run/ntpd.pid -g
unconfined_u:system_r:dhcpc_t:s0 root 5702 0.0 0.0 6856 356 ? Ss Jun23
0:00 /sbin/dhclient -1 -q -lf /var/lib/dhclient/dhclient-br0.leases -pf
/var/run/dhclient-br0.pid br0
unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 root 5835 0.3 0.1 466888
2844 ? Sl Jun23 74:12 libvirtd --daemon
unconfined_u:system_r:dnsmasq_t:s0-s0:c0.c1023 nobody 5895 0.0 0.0 12584
300 ? S Jun23 0:00 /usr/sbin/dnsmasq --strict-order --bind-interfaces
--pid-file=/var/run/libvirt/network/default.pid --conf-file=
--listen-address 192.168.122.1 --except-interface lo --dhcp-range
192.168.122.2,192.168.122.254
unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 root 9606 0.0 0.0 63236 312
? Ss Jun23 0:00 /usr/sbin/sshd
unconfined_u:system_r:avahi_t:s0 avahi 9690 0.0 0.0 60036 912 ? Ss Jul01
0:00 avahi-daemon: registering [roary.local]
unconfined_u:system_r:avahi_t:s0 avahi 9691 0.0 0.0 59868 156 ? Ss Jul01
0:00 avahi-daemon: chroot helper
unconfined_u:system_r:rpcbind_t:s0 rpc 17479 0.0 0.0 18788 308 ? Ss
Jun29 0:00 rpcbind -w
unconfined_u:system_r:crond_t:s0-s0:c0.c1023 root 17538 0.0 0.0 100292
464 ? Ss Jun29 0:02 crond
Why are some processes starting in system_u and some in unconfined_u?
I'm always mindful to do "service xyz restart" rather than starting
things manually. It's not just one machine either.
Paul.
If you execute service xyz restart, xyz will run as unconfined_u, if the
system does it at boot it will run as system_u. You can use run_init if
you choose to get it to run as system_u
run_init service xyz restart
(If you want to use this form, put pam_rootok in /etc/pam.d/run_init,
for you sanity. :^))
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list