Hi guys i found some strange messages in my logs. It seams that selinux is blocking a dhcp an Iptables. I found similar post on group about DHCP but my messages are different.I am using FC7 latest policy update didn't resolve the problem. P.S I am using firestater as my firewall. Have a look
Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:4): avc: denied { execute } for pid=1775 comm="sh" name="iptables" dev=sdb1 ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:5): avc: denied { getattr } for pid=1775 comm="sh" name="iptables" dev=sdb1 ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:6): avc: denied { getattr } for pid=1775 comm="sh" name="iptables" dev=sdb1 ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:7): avc: denied { execute } for pid=1776 comm="sh" name="iptables" dev=sdb1 ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:8): avc: denied { getattr } for pid=1776 comm="sh" name="iptables" dev=sdb1 ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:9): avc: denied { getattr } for pid=1776 comm="sh" name="iptables" dev=sdb1 ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:10): avc: denied { execute } for pid=1778 comm="sh" name="iptables" dev=sdb1 ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:11): avc: denied { getattr } for pid=1778 comm="sh" name="iptables" dev=sdb1 ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:12): avc: denied { getattr } for pid=1778 comm="sh" name="iptables" dev=sdb1 ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Jun 7 08:08:54 c79-70 kernel: audit(1181196527.975:13): audit_pid=1863 old=0 by auid=4294967295 subj=system_u:system_r:auditd_t:s0 Greatings Peter
piotreek wrote:
Hi guys i found some strange messages in my logs. It seams that selinux is blocking a dhcp an Iptables. I found similar post on group about DHCP but my messages are different.I am using FC7 latest policy update didn't resolve the problem. P.S I am using firestater as my firewall.
I believe you will need to write custom policy to make this work. You can simply add these rules using audit2allow.
# grep dhcpc /var/log/audit/audit.log | audit2allow -M mydhcpc
# semodule -i mydhcpc.pp
Having dhcpc allowed to turn on/off firewall rules is of debatable security risk.
Have a look
Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:4): avc: denied { execute } for pid=1775 comm="sh" name="iptables" dev=sdb1 ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:5): avc: denied { getattr } for pid=1775 comm="sh" name="iptables" dev=sdb1 ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:6): avc: denied { getattr } for pid=1775 comm="sh" name="iptables" dev=sdb1 ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:7): avc: denied { execute } for pid=1776 comm="sh" name="iptables" dev=sdb1 ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:8): avc: denied { getattr } for pid=1776 comm="sh" name="iptables" dev=sdb1 ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:9): avc: denied { getattr } for pid=1776 comm="sh" name="iptables" dev=sdb1 ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:10): avc: denied { execute } for pid=1778 comm="sh" name="iptables" dev=sdb1 ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:11): avc: denied { getattr } for pid=1778 comm="sh" name="iptables" dev=sdb1 ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Jun 7 08:08:54 c79-70 kernel: audit(1181196527.475:12): avc: denied { getattr } for pid=1778 comm="sh" name="iptables" dev=sdb1 ino=3793910 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file Jun 7 08:08:54 c79-70 kernel: audit(1181196527.975:13): audit_pid=1863 old=0 by auid=4294967295 subj=system_u:system_r:auditd_t:s0 Greatings Peter
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Daniel J Walsh wrote:
piotreek wrote:
Hi guys i found some strange messages in my logs. It seams that selinux is blocking a dhcp an Iptables. I found similar post on group about DHCP but my messages are different.I am using FC7 latest policy update didn't resolve the problem. P.S I am using firestater as my firewall.
I believe you will need to write custom policy to make this work. You can simply add these rules using audit2allow.
# grep dhcpc /var/log/audit/audit.log | audit2allow -M mydhcpc
# semodule -i mydhcpc.pp
Having dhcpc allowed to turn on/off firewall rules is of debatable security risk.
I'm noticing similar behavior with dhcp and ntp. It seems that for some reason the dhcp client is trying to play with ntp (probably because I define the ntp server in the dhcp server config) and failing:
type=AVC msg=audit(1184457984.239:75): avc: denied { remove_name } for pid=6370 comm="rm" name="ntpd" dev=sdc1 ino=1632966 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir type=AVC msg=audit(1184457984.239:75): avc: denied { unlink } for pid=6370 comm="rm" name="ntpd" dev=sdc1 ino=1632966 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file type=AVC msg=audit(1184457984.253:76): avc: denied { add_name } for pid=6377 comm="touch" name="ntpd" scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir type=AVC msg=audit(1184457984.253:76): avc: denied { create } for pid=6377 comm="touch" name="ntpd" scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file type=AVC msg=audit(1184457984.254:77): avc: denied { write } for pid=6377 comm="touch" name="ntpd" dev=sdc1 ino=1632966 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file
I can easily write a custom policy to allow this, but it feels like a common enough configuration (ntp server configured by dhcp) that there should be a global policy (or boolean?) to allow this to work.
--Mike
Wart wrote:
Daniel J Walsh wrote:
piotreek wrote:
Hi guys i found some strange messages in my logs. It seams that selinux is blocking a dhcp an Iptables. I found similar post on group about DHCP but my messages are different.I am using FC7 latest policy update didn't resolve the problem. P.S I am using firestater as my firewall.
I believe you will need to write custom policy to make this work. You can simply add these rules using audit2allow.
# grep dhcpc /var/log/audit/audit.log | audit2allow -M mydhcpc
# semodule -i mydhcpc.pp
Having dhcpc allowed to turn on/off firewall rules is of debatable security risk.
I'm noticing similar behavior with dhcp and ntp. It seems that for some reason the dhcp client is trying to play with ntp (probably because I define the ntp server in the dhcp server config) and failing:
type=AVC msg=audit(1184457984.239:75): avc: denied { remove_name } for pid=6370 comm="rm" name="ntpd" dev=sdc1 ino=1632966 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir type=AVC msg=audit(1184457984.239:75): avc: denied { unlink } for pid=6370 comm="rm" name="ntpd" dev=sdc1 ino=1632966 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file type=AVC msg=audit(1184457984.253:76): avc: denied { add_name } for pid=6377 comm="touch" name="ntpd" scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir type=AVC msg=audit(1184457984.253:76): avc: denied { create } for pid=6377 comm="touch" name="ntpd" scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file type=AVC msg=audit(1184457984.254:77): avc: denied { write } for pid=6377 comm="touch" name="ntpd" dev=sdc1 ino=1632966 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file
I can easily write a custom policy to allow this, but it feels like a common enough configuration (ntp server configured by dhcp) that there should be a global policy (or boolean?) to allow this to work.
--Mike
Did it work in enforcing mode? Currently the policy says to dontaudit search of the locks directory, which should have prevented these avc messages in enforcing mode. If it works in enforcing mode, these avc's can be ignored.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Michael Thomas -
piotreek