On 07/10/2009 02:50 PM, Daniel J Walsh wrote:
On 07/10/2009 03:58 AM, Paul Howarth wrote:
I get one of these every time my DHCP lease is renewed:
type=AVC msg=audit(1247181873.317:23522): avc: denied { create } for
pid=31499 comm="mv" name="yp.conf.predhclient.br0"
scontext=unconfined_u:system_r:dhcpc_t:s0
tcontext=system_u:object_r:net_conf_t:s0 tclass=file
type=SYSCALL msg=audit(1247181873.317:23522): arch=c000003e syscall=2
success=no exit=-13 a0=7fff9e36ebcc a1=c1 a2=180 a3=65726373662f7274
items=0 ppid=31485 pid=31499 auid=1012 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="mv" exe="/bin/mv"
subj=unconfined_u:system_r:dhcpc_t:s0 key=(null)
It originates from /etc/dhcp/dhclient.d/nis.sh in the ypbind package.
Paul..
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
That is a new one, looks like you started dhclient by hand, and it is
running as unconfined_u:system_r:dhcpc_t:s0, But some where in the
tool it is trying to create a file labeled
system_u:object_r:net_conf_t:s0
unconfined_u creating a file with a user type of system_u is a
constraint violation.
The mv command tries to maintain the context of the context of the
yp.conf.predhclient.br0 file which must have been created by dhclient
when it was run as a service, so you get this denial.
So I guess we need to allow dhcpc_t the ability to change the user
componant of a file.
Who said SELinux is not simple... :^(
If you add the following in a module it should allow your app to work.
domain_obj_id_change_exemption(dhcpc_t)
Miroslav can you add this to sysnetwork.te for F10, F11.
I will add this to selinux-policy-3.6.12-66.fc11 and
selinux-policy-3.5.13-67.fc10
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
