temp files & debugging
Stephen Smalley
sds at tycho.nsa.gov
Mon Feb 9 14:30:06 UTC 2009
On Mon, 2009-02-09 at 09:22 -0500, Steve wrote:
> I am attempting to figure out why my dhclient process sometimes gets the correct hostname from the server and sometimes it doesn't. I want to do this by turning on logging and sending the output to a temp file. I am running F9 and so I changed the line in /etc/sysconfig/network-scripts/ifup-eth from:
>
> if /sbin/dhclient ${DHCLIENTARGS} ${DEVICE}; then
> if /sbin/dhclient ${DHCLIENTARGS} ${DEVICE} > /var/log/dhclient.log 2>&1; then
>
> after changing the DHCLIENTARGS switch -q to -v. When this runs at boot time I get an empty /var/log/dhclient.log file. When I try to run dhclient manually I get a SELinux denial:
>
> SELinux is preventing dhclient (dhcpc_t) "write" to /var/log/dhclient.log (var_log_t).
>
> OK, that makes sense so what do I have to modify to allow the log file to be written? This is just temporary so I'm hoping that I don't have to modify policies, rule files etc, etc. The simplest thing I can think of is to change to permissive mode but is there a better way?
>
> Here is the raw data:
>
> Source Context: unconfined_u:system_r:dhcpc_t:SystemLow-SystemHigh
> Target Context: system_u:object_r:var_log_t
> Target Objects: /var/log/dhclient.log [ file ]
> Source: dhclient
> Source Path: /sbin/dhclient
> Port: <Unknown>
> Host: localhost.localdomain
> Source RPM Packages: dhclient-4.0.0-22.fc9
> Target RPM Packages:
> Policy RPM: selinux-policy-3.3.1-119.fc9
> Selinux Enabled: True
> Policy Type: targeted
> MLS Enabled: True
> Enforcing Mode: Enforcing
> Plugin Name: mislabeled_file
> Host Name: localhost.localdomain
> Platform: Linux localhost.localdomain 2.6.27.12-78.2.8.fc9.x86_64 #1 SMP Mon Jan 19 19:25:03 EST 2009 x86_64 x86_64
> Alert Count: 1
> First Seen: Fri 06 Feb 2009 10:15:51 AM EST
> Last Seen: Fri 06 Feb 2009 10:15:51 AM EST
> Local ID: f7b088b4-ffa8-4a8a-bd23-e075bf806d23
> Line Numbers:
>
> Raw Audit Messages :node=localhost.localdomain type=AVC msg=audit(1233933351.918:23): avc: denied { write } for pid=3311 comm="dhclient" path="/var/log/dhclient.log" dev=dm-0 ino=49873259 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file
>
> node=localhost.localdomain type=AVC msg=audit(1233933351.918:23): avc: denied { write } for pid=3311 comm="dhclient" path="/var/log/dhclient.log" dev=dm-0 ino=49873259 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file
>
> node=localhost.localdomain type=SYSCALL msg=audit(1233933351.918:23): arch=c000003e syscall=59 success=yes exit=0 a0=1ba6ba0 a1=1ba70e0 a2=1b8eba0 a3=3ff9d67a70 items=0 ppid=3175 pid=3311 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="dhclient" exe="/sbin/dhclient" subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null)
Label the log file with a type to which dhcpc_t can already write, e.g.
chcon -t dhcpc_tmp_t /var/log/dhclient.log
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list