Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 453933 - SELinux is preventing the dhclient from using potentially mislabeled files (./services).
Summary: SELinux is preventing the dhclient from using potentially mislabeled files (....
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 9
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-07-03 11:11 UTC by Jochen Wiedmann
Modified: 2008-07-11 07:05 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-07-03 15:23:18 UTC


Attachments (Terms of Use)

Description Jochen Wiedmann 2008-07-03 11:11:23 UTC
Description of problem:

Whenever I boot up my machine, or restart the network, I am receiving the
SELinux alert below. I do not know whether the problem is with SELinux, its
policy, or dhclient, so I am picking up the component, which sounds most
likely.

Version-Release number of selected component (if applicable):

    [jwi@mcjwi ~]$ rpm -qa | grep -i selinux
    selinux-policy-targeted-3.3.1-72.fc9.noarch
    libselinux-2.0.64-2.fc9.i386
    selinux-policy-3.3.1-72.fc9.noarch
    libselinux-python-2.0.64-2.fc9.i386
    [jwi@mcjwi ~]$ rpm -qa | grep -i dhclient
    dhclient-4.0.0-14.fc9.i386


How reproducible:
    sudo /etc/init.d/network restart

  
Actual results:
    No problem reports

Expected results:
    An SELinux alert is reported.


Additional info:
    My network configuration is fairly trivial, I have only eth0 with
    the following configuration.

    # Broadcom Corporation NetXtreme BCM5752 Gigabit Ethernet PCI Express
    DEVICE=eth0
    BOOTPROTO=dhcp
    HWADDR=00:15:c5:3a:c1:c5
    ONBOOT=yes
    DHCP_HOSTNAME=mcjwi.eur.ad.sag
    SEARCH="eur.ad.sag hq.sag"
    NM_CONTROLLED=no
    TYPE=Ethernet
    USERCTL=no
    PEERDNS=yes
    IPV6INIT=no

Summary:

SELinux is preventing the dhclient from using potentially mislabeled files
(./services).

Detailed Description:

SELinux has denied dhclient access to potentially mislabeled file(s)
(./services). This means that SELinux will not allow dhclient to use these
files. It is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem is that
the files end up with the wrong file context which confined applications are not
allowed to access.

Allowing Access:

If you want dhclient to access this files, you need to relabel them using
restorecon -v './services'. You might want to relabel the entire directory using
restorecon -R -v '.'.

Additional Information:

Source Context                unconfined_u:system_r:dhcpc_t:s0
Target Context                unconfined_u:object_r:rpm_script_tmp_t:s0
Target Objects                ./services [ file ]
Source                        dhclient
Source Path                   /sbin/dhclient
Port                          <Unknown>
Host                          mcjwi.eur.ad.sag
Source RPM Packages           dhclient-4.0.0-14.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-72.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     mcjwi.eur.ad.sag
Platform                      Linux mcjwi.eur.ad.sag 2.6.25.6-55.fc9.i686 #1 SMP
                              Tue Jun 10 16:27:49 EDT 2008 i686 i686
Alert Count                   16
First Seen                    Fri 30 May 2008 12:40:05 AM CEST
Last Seen                     Thu 03 Jul 2008 12:51:22 PM CEST
Local ID                      fa07d8b2-2081-4138-99ed-3f881231ae6b
Line Numbers                  

Raw Audit Messages            

host=mcjwi.eur.ad.sag type=AVC msg=audit(1215082282.574:105): avc:  denied  {
read } for  pid=5317 comm="dhclient" name="services" dev=sda3 ino=360451
scontext=unconfined_u:system_r:dhcpc_t:s0
tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=file

host=mcjwi.eur.ad.sag type=SYSCALL msg=audit(1215082282.574:105): arch=40000003
syscall=5 success=no exit=-13 a0=119f06 a1=80000 a2=1b6 a3=80000 items=0
ppid=5220 pid=5317 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts1 ses=1 comm="dhclient" exe="/sbin/dhclient"
subj=unconfined_u:system_r:dhcpc_t:s0 key=(null)

Comment 1 Daniel Walsh 2008-07-03 15:23:18 UTC
restorecon /etc/services

There is a bug in the vmware rpm script that modifies the /etc/services but
leaves it with a bad label.

Comment 2 Jochen Wiedmann 2008-07-11 07:05:59 UTC
Thanks, works indeed.



Note You need to log in before you can comment on or make changes to this bug.