iptables isn't low enough the networking stack to block dhcpd. Only ebtables can look that low and I don't think it's standard in Fedora.
TOn Thu, Dec 11, 2008 at 1:08 PM, Antonio Olivares <olivares14031@yahoo.com> wrote:
--- On Thu, 12/11/08, Paul Howarth <paul@city-fan.org> wrote:
> From: Paul Howarth <paul@city-fan.org>
> Subject: Re: iptables denied by selinux
> To: olivares14031@yahoo.com, "Fedora SELinux support list" <fedora-selinux-list@redhat.com>
> Date: Thursday, December 11, 2008, 1:38 AM
Well I overlooked the 6 in ip6tables-resto and blamed it on selinux. Mr. Walsh added it to the policy to fix the other selinux error, but the machines on the DHCP server get ip's, dns and all and cannot surf so I easily blamed it on selinux. Sorry for that. What else could be interfering here?> Antonio Olivares wrote:
> > Dear all,
> >
> > I have still yet to make the dhcpd server work because
> of selinux. I have been patient, but I am getting
> frustrated :(
> >
> > [olivares@localhost ~]$ dmesg | grep avc
> > type=1400 audit(1228956840.530:4): avc: denied {
> write } for pid=1499 comm="ip6tables-resto"
> path="/0" dev=devpts ino=2
> scontext=system_u:system_r:iptables_t:s0
> tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
> > [olivares@localhost ~]$
> >
> > I have already ran touch /.autorelabel; reboot and all
> of the other denials have been cleared but this one. I am
> not yet taking selinux off or getting that desparate,
> because when I booted in enforcing=0 mode for other
> troubles, the dhcpd server still did not work, but the
> iptables message was still there :(
> >
> > Please advice me, I do not want to throw the towel
> yet!
>
> Why do you think the DHCP server problem is SELinux
> related? The AVC here appears to be from starting the
> ip6tables service, and you say that the DCHP server still
> doesn't work in permissive mode...
>
> What, if any, messages do you see in /var/log/messages from
> dhcpd?
>
> Paul.
Here's output of tail -f /var/log/messages:
Dec 11 07:01:32 localhost dhcpd: DHCPDISCOVER from 00:d0:b7:c1:09:58 via eth1
Dec 11 07:01:33 localhost dhcpd: DHCPOFFER on 192.168.0.2 to 00:d0:b7:c1:09:58 (6355-hthhzebqqx) via eth1
Dec 11 07:01:33 localhost dhcpd: Wrote 3 leases to leases file.
Dec 11 07:01:33 localhost dhcpd: DHCPREQUEST for 192.168.0.2 (192.168.0.1) from 00:d0:b7:c1:09:58 (6355-hthhzebqqx) via eth1
Dec 11 07:01:33 localhost dhcpd: DHCPACK on 192.168.0.2 to 00:d0:b7:c1:09:58 (6355-hthhzebqqx) via eth1
Dec 11 07:02:34 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
Dec 11 07:02:34 localhost dhcpd: DHCPACK to 192.168.0.2 (00:d0:b7:c1:09:58) via eth1
Dec 11 07:02:37 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
Dec 11 07:02:37 localhost dhcpd: DHCPACK to 192.168.0.2 (00:d0:b7:c1:09:58) via eth1
Dec 11 07:02:53 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
Dec 11 07:02:53 localhost dhcpd: DHCPACK to 192.168.0.2 (00:d0:b7:c1:09:58) via eth1
Dec 11 07:02:57 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
Dec 11 07:02:57 localhost dhcpd: DHCPACK to 192.168.0.2 (00:d0:b7:c1:09:58) via eth1
Dec 11 07:04:09 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
Dec 11 07:04:09 localhost dhcpd: DHCPACK to 192.168.0.2 (00:d0:b7:c1:09:58) via eth1
Dec 11 07:04:13 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
Dec 11 07:04:13 localhost dhcpd: DHCPACK to 192.168.0.2 (00:d0:b7:c1:09:58) via eth1
Dec 11 07:04:21 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
Dec 11 07:04:21 localhost dhcpd: DHCPACK to 192.168.0.2 (00:d0:b7:c1:09:58) via eth1
Dec 11 07:04:25 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
Dec 11 07:04:25 localhost dhcpd: DHCPACK to 192.168.0.2 (00:d0:b7:c1:09:58) via eth1
Sorry but I overlooked the 6 in the selinux denied avc. Does it make a difference with the server?
Thanks,
Antonio
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list