FC4 dhcp, firestarter and SE Linux permission denied messages

Stephen Smalley sds at tycho.nsa.gov
Wed Jun 29 13:48:48 UTC 2005 

On Wed, 2005-06-29 at 09:38 -0400, David Niemi wrote:
> I appear to be having audit problems with some of the things that
> firestarter wants to do when starting up and SE Linux.  Initially dhcpd
> was giving errors and I found that dhcpd.conf contained some really
> strange IP addresses (136.54.10.8, whois -> Ford motor company???) as
> the subnet, netmask, etc.  Got that straighted out and firestarter
> appears to be starting though I haven't plugged my home network into it
> yet to check.
> 
> I am still getting errors when in the graphical part of the boot when
> services are starting (sorry, don't know the proper name) from
> firestarter about cp and "resolv.conf.predhclient" and some output from
> the dhcpd.
> 
> Checking /var/log/messages I have found ~57 lines like:
> 
> Jun 29 08:55:24 localhost kernel: audit(1120049722.072:2): avc:  denied
> { write } for  pid=1791 comm="cp" name=resolv.conf.predhclient dev=hda3
> ino=680749 scontext=system_u:system_r:dhcpc_t
> tcontext=system_u:object_r:etc_runtime_t tclass=file
> Jun 29 08:55:24 localhost kernel: audit(1120049722.072:3): avc:  denied
> { unlink } for  pid=1791 comm="cp" name=resolv.conf.predhclient dev=hda3
> ino=680749 scontext=system_u:system_r:dhcpc_t
> tcontext=system_u:object_r:etc_runtime_t tclass=file
> Jun 29 08:55:24 localhost kernel: audit(1120049722.164:4): avc:  denied
> { execute } for  pid=1831 comm="sh" name=modprobe dev=hda3 ino=129716
> scontext=system_u:system_r:dhcpc_t
> tcontext=system_u:object_r:insmod_exec_t tclass=file
> 
> about modeprobe and iptables also.
> 
> I've read the messages about "Re: Can't bind to dhcp address: Permission
> denied??" and tried Alexander's disable and reenable the protection on
> dhcpd and it didn't work.
> 
> All of the message that I've kept from the past couple of weeks on dhcp
> haven't really helped, nor the messages about the policies.
> 
> I've got VERY little knowledge of SE Linux policies, messages, and
> commands, so any help would be GREATLY appreciated

fedora-selinux-list is typically a better place to ask about SELinux
issues.  cc'd.  

-- 
Stephen Smalley
National Security Agency

More information about the selinux mailing list