audit(1079019200.094:0): avc: denied { net_admin } for pid=18206 exe=/sbin/nameif capability=12 scontext=system_u:system_r:hotplug_t tcontext=system_u:system_r:hotplug_t tclass=capability audit(1079019200.519:0): avc: denied { getattr } for pid=18144 exe=/bin/bash path=/etc/dhclient.conf dev=hda2 ino=231943 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:dhcp_etc_t tclass=file audit(1079019200.521:0): avc: denied { write } for pid=18221 exe=/bin/bash name=etc dev=hda2 ino=228929 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:etc_t tclass=dir audit(1079019200.521:0): avc: denied { add_name } for pid=18221 exe=/bin/bash name=dhclient-wvlan0.conf.ifupnew scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:etc_t tclass=dir audit(1079019200.521:0): avc: denied { create } for pid=18221 exe=/bin/bash name=dhclient-wvlan0.conf.ifupnew scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:etc_t tclass=file audit(1079019200.541:0): avc: denied { read } for pid=18221 exe=/bin/grep name=dhclient.conf dev=hda2 ino=231943 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:dhcp_etc_t tclass=file audit(1079019200.542:0): avc: denied { search } for pid=17337 exe=/usr/bin/fam name=sys dev= ino=4120 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:sysctl_t tclass=dir audit(1079019200.542:0): avc: denied { getattr } for pid=17337 exe=/usr/bin/fam path=/etc/mtab dev=hda2 ino=229229 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:etc_runtime_t tclass=file audit(1079019200.572:0): avc: denied { write } for pid=18221 exe=/bin/grep path=/etc/dhclient-wvlan0.conf.ifupnew dev=hda2 ino=2191270 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:etc_t tclass=file audit(1079019200.574:0): avc: denied { write } for pid=18222 exe=/bin/bash name=dhclient.conf dev=hda2 ino=231943 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:dhcp_etc_t tclass=file audit(1079019200.580:0): avc: denied { remove_name } for pid=18223 exe=/bin/rm name=dhclient-wvlan0.conf.ifupnew dev=hda2 ino=2191270 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:etc_t tclass=dir audit(1079019200.580:0): avc: denied { unlink } for pid=18223 exe=/bin/rm name=dhclient-wvlan0.conf.ifupnew dev=hda2 ino=2191270 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:etc_t tclass=file audit(1079019200.778:0): avc: denied { dac_override } for pid=18241 exe=/bin/bash capability=1 scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=capability audit(1079019203.873:0): avc: denied { fsetid } for pid=18339 exe=/bin/chmod capability=4 scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=capability
% ls --context /etc/dhclient* -rw-r--r--+ root root system_u:object_r:dhcp_etc_t /etc/dhclient.conf lrwxrwxrwx root root system_u:object_r:etc_t /etc/dhclient-eth0.conf -> dhclient.conf lrwxrwxrwx root root system_u:object_r:etc_t /etc/dhclient-wvlan0.conf -> dhclient.conf
Perhaps we need a network-init role, used by /etc/init.d/network, that hotplug (and others) can transition to?
Bill
On 11.03.2004 08:20, Bill Nottingham wrote:
Perhaps we need a network-init role, used by /etc/init.d/network, that hotplug (and others) can transition to?
Yes, this seems like a good idea. "and others" should probably include at least APM/ACPI (for suspend/resume scripts).
But also note that part of the AVCs comes from the following fragment of /sbin/ifup:
... # Remove any temporary references which were previously added to dhclient config if [ -w /etc/dhclient-${DEVICE}.conf ] && [ -x /sbin/dhclient ] ; then LC_ALL=C grep -v "# temporary RHL ifup addition" /etc/dhclient-${DEVICE}.conf > /etc/dhclient-${DEVICE}.conf.ifupnew 2> /dev/null cat /etc/dhclient-${DEVICE}.conf.ifupnew > /etc/dhclient-${DEVICE}.conf rm -f /etc/dhclient-${DEVICE}.conf.ifupnew fi
if [ -n "${DYNCONFIG}" ]; then PUMPARGS=$PUMPARGS DHCPCDARGS="$DHCPCDARGS -n" DHCLIENTARGS="${DHCLIENTARGS} -1 -q -lf /var/lib/dhcp/dhclient-${DEVICE}.leases -pf /var/run/dhclient-${DEVICE}.pid -cf /etc/dhclient-${DEVICE}.conf" if [ -n "${DHCP_HOSTNAME}" ]; then # Send a host-name to the DHCP server (requ. by some dhcp servers). PUMPARGS="${PUMPARGS} -h ${DHCP_HOSTNAME}" DHCPCDARGS="${DHCPCDARGS} -h ${DHCP_HOSTNAME}" if [ -x /sbin/dhclient ] ; then if [ -w /etc/dhclient-${DEVICE}.conf ] ; then if ! LC_ALL=C grep "send *host-name *"${DHCP_HOSTNAME}"" /etc/dhclient-${DEVICE}.conf > /dev/null 2>&1 ; then echo "send host-name "${DHCP_HOSTNAME}"; # temporary RHL ifup addition" >> /etc/dhclient-${DEVICE}.conf fi elif ! [ -e /etc/dhclient-${DEVICE}.conf ] ; then echo "send host-name "${DHCP_HOSTNAME}"; # temporary RHL ifup addition" >> /etc/dhclient-${DEVICE}.conf fi fi fi ...
It seems that the least it could do is to check whether a "temporary RHL ifup addition" line is in fact present in the config _before_ trying to mess with it. And in general, allowing the ifup script to mess with the DHCP config does not seem like such a good idea.
On Fri, 12 Mar 2004 02:38, Aleksey Nogin aleksey@nogin.org wrote:
audit(1079019200.094:0): avc: denied { net_admin } for pid=18206 exe=/sbin/nameif capability=12 scontext=system_u:system_r:hotplug_t tcontext=system_u:system_r:hotplug_t tclass=capability
What happens if you give /sbin/nameif the type ifconfig_exec_t?
audit(1079019200.519:0): avc: denied { getattr } for pid=18144 exe=/bin/bash path=/etc/dhclient.conf dev=hda2 ino=231943 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:dhcp_etc_t tclass=file audit(1079019200.521:0): avc: denied { write } for pid=18221 exe=/bin/bash name=etc dev=hda2 ino=228929 scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:etc_t tclass=dir audit(1079019200.521:0): avc: denied { add_name } for pid=18221 exe=/bin/bash name=dhclient-wvlan0.conf.ifupnew scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:etc_t tclass=dir audit(1079019200.521:0): avc: denied { create } for pid=18221 exe=/bin/bash name=dhclient-wvlan0.conf.ifupnew scontext=system_u:system_r:hotplug_t tcontext=system_u:object_r:etc_t tclass=file
It looks like it's replacing the dhclient.conf file. We don't want to give hotplug write access to etc_t (/etc/passwd), we could do the following: file_type_auto_trans(hotplug_t, etc_t, dhcp_etc_t, { file lnk_file })
But then we might have the same problem with hotplug wanting to write some other type of file.
Could we use a /etc/dhcpc/ directory?
audit(1079019200.778:0): avc: denied { dac_override } for pid=18241 exe=/bin/bash capability=1 scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=capability audit(1079019203.873:0): avc: denied { fsetid } for pid=18339 exe=/bin/chmod capability=4 scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=capability
I've already added dac_override to my tree, I'm still cnsidering fsetid (see my message in the other thread).
selinux@lists.fedoraproject.org
-
Aleksey Nogin -
Bill Nottingham -
Russell Coker