iptables isn't low enough the networking stack to block dhcpd. Only ebtables
can look that low and I don't think it's standard in Fedora.
T
On Thu, Dec 11, 2008 at 1:25 PM, Tarek W. <mailinglists(a)lonecoder.net>wrote:
iptables isn't low enough the networking stack to block dhcpd.
Only
ebtables can look that low and I don't think it's standard in Fedora.
T
On Thu, Dec 11, 2008 at 1:08 PM, Antonio Olivares <olivares14031(a)yahoo.com
> wrote:
> --- On Thu, 12/11/08, Paul Howarth <paul(a)city-fan.org> wrote:
>
> > From: Paul Howarth <paul(a)city-fan.org>
> > Subject: Re: iptables denied by selinux
> > To: olivares14031(a)yahoo.com, "Fedora SELinux support list" <
> fedora-selinux-list(a)redhat.com>
> > Date: Thursday, December 11, 2008, 1:38 AM
> > Antonio Olivares wrote:
> > > Dear all,
> > >
> > > I have still yet to make the dhcpd server work because
> > of selinux. I have been patient, but I am getting
> > frustrated :(
> > >
> > > [olivares@localhost ~]$ dmesg | grep avc
> > > type=1400 audit(1228956840.530:4): avc: denied {
> > write } for pid=1499 comm="ip6tables-resto"
> > path="/0" dev=devpts ino=2
> > scontext=system_u:system_r:iptables_t:s0
> > tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
> > > [olivares@localhost ~]$
> > >
> > > I have already ran touch /.autorelabel; reboot and all
> > of the other denials have been cleared but this one. I am
> > not yet taking selinux off or getting that desparate,
> > because when I booted in enforcing=0 mode for other
> > troubles, the dhcpd server still did not work, but the
> > iptables message was still there :(
> > >
> > > Please advice me, I do not want to throw the towel
> > yet!
> >
> > Why do you think the DHCP server problem is SELinux
> > related? The AVC here appears to be from starting the
> > ip6tables service, and you say that the DCHP server still
> > doesn't work in permissive mode...
> >
> > What, if any, messages do you see in /var/log/messages from
> > dhcpd?
> >
> > Paul.
>
> Well I overlooked the 6 in ip6tables-resto and blamed it on selinux. Mr.
> Walsh added it to the policy to fix the other selinux error, but the
> machines on the DHCP server get ip's, dns and all and cannot surf so I
> easily blamed it on selinux. Sorry for that. What else could be
> interfering here?
>
> Here's output of tail -f /var/log/messages:
>
> Dec 11 07:01:32 localhost dhcpd: DHCPDISCOVER from 00:d0:b7:c1:09:58 via
> eth1
> Dec 11 07:01:33 localhost dhcpd: DHCPOFFER on 192.168.0.2 to
> 00:d0:b7:c1:09:58 (6355-hthhzebqqx) via eth1
> Dec 11 07:01:33 localhost dhcpd: Wrote 3 leases to leases file.
> Dec 11 07:01:33 localhost dhcpd: DHCPREQUEST for 192.168.0.2 (192.168.0.1)
> from 00:d0:b7:c1:09:58 (6355-hthhzebqqx) via eth1
> Dec 11 07:01:33 localhost dhcpd: DHCPACK on 192.168.0.2 to
> 00:d0:b7:c1:09:58 (6355-hthhzebqqx) via eth1
> Dec 11 07:02:34 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
> Dec 11 07:02:34 localhost dhcpd: DHCPACK to 192.168.0.2(00:d0:b7:c1:09:58) via eth1
> Dec 11 07:02:37 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
> Dec 11 07:02:37 localhost dhcpd: DHCPACK to 192.168.0.2(00:d0:b7:c1:09:58) via eth1
> Dec 11 07:02:53 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
> Dec 11 07:02:53 localhost dhcpd: DHCPACK to 192.168.0.2(00:d0:b7:c1:09:58) via eth1
> Dec 11 07:02:57 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
> Dec 11 07:02:57 localhost dhcpd: DHCPACK to 192.168.0.2(00:d0:b7:c1:09:58) via eth1
> Dec 11 07:04:09 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
> Dec 11 07:04:09 localhost dhcpd: DHCPACK to 192.168.0.2(00:d0:b7:c1:09:58) via eth1
> Dec 11 07:04:13 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
> Dec 11 07:04:13 localhost dhcpd: DHCPACK to 192.168.0.2(00:d0:b7:c1:09:58) via eth1
> Dec 11 07:04:21 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
> Dec 11 07:04:21 localhost dhcpd: DHCPACK to 192.168.0.2(00:d0:b7:c1:09:58) via eth1
> Dec 11 07:04:25 localhost dhcpd: DHCPINFORM from 192.168.0.2 via eth1
> Dec 11 07:04:25 localhost dhcpd: DHCPACK to 192.168.0.2(00:d0:b7:c1:09:58) via eth1
>
> Sorry but I overlooked the 6 in the selinux denied avc. Does it make a
> difference with the server?
>
> Thanks,
>
> Antonio
>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>