Re: dhclient denial F-11

[Daniel J Walsh <dwalsh redhat com>]

On 07/10/2009 03:58 AM, Paul Howarth wrote:
> I get one of these every time my DHCP lease is renewed:
>
> type=AVC msg=audit(1247181873.317:23522): avc: denied { create } for
> pid=31499 comm="mv" name="yp.conf.predhclient.br0"
> scontext=unconfined_u:system_r:dhcpc_t:s0
> tcontext=system_u:object_r:net_conf_t:s0 tclass=file
> type=SYSCALL msg=audit(1247181873.317:23522): arch=c000003e syscall=2
> success=no exit=-13 a0=7fff9e36ebcc a1=c1 a2=180 a3=65726373662f7274
> items=0 ppid=31485 pid=31499 auid=1012 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="mv" exe="/bin/mv"
> subj=unconfined_u:system_r:dhcpc_t:s0 key=(null)
>
> It originates from /etc/dhcp/dhclient.d/nis.sh in the ypbind package.
>
> Paul..
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list redhat com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
That is a new one, looks like you started dhclient by hand, and it is 
running as unconfined_u:system_r:dhcpc_t:s0,  But some where in the tool 
it is trying to create a file labeled system_u:object_r:net_conf_t:s0

unconfined_u creating a file with a user type of system_u is a 
constraint violation.

The mv command tries to maintain the context of the context of the
yp.conf.predhclient.br0 file which must have been created by dhclient 
when it was run as a service, so you get this denial.

So I guess we need to allow dhcpc_t the ability to change the user 
componant of a file.

Who said SELinux is not simple...  :^(

If you add the following in a module it should allow your app to work.


domain_obj_id_change_exemption(dhcpc_t)


Miroslav can you add this to sysnetwork.te for F10, F11.