It seems the policy needs an update to allow the dhclient-script to work properly:
type=1400 audit(1206128117.122:4): avc: denied { write } for pid=2475 comm="cp" name="resolv.conf.predhclient.eth3" dev=dm-0 ino=26088 scontext=system_u:system_r:dhcpc_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file type=1400 audit(1206128117.122:5): avc: denied { unlink } for pid=2475 comm="cp" name="resolv.conf.predhclient.eth3" dev=dm-0 ino=26088 scontext=system_u:system_r:dhcpc_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file type=1400 audit(1206128117.252:6): avc: denied { rename } for pid=2485 comm="mv" name="ntp.conf" dev=dm-0 ino=26089 scontext=system_u:system_r:dhcpc_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file type=1400 audit(1206128117.255:7): avc: denied { write } for pid=2486 comm="dhclient-script" name="ntp.conf" dev=dm-0 ino=26089 scontext=system_u:system_r:dhcpc_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file type=1400 audit(1206128117.255:8): avc: denied { write } for pid=2486 comm="dhclient-script" name="ntp.conf" dev=dm-0 ino=26089 scontext=system_u:system_r:dhcpc_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file type=1400 audit(1206128117.256:9): avc: denied { append } for pid=2434 comm="dhclient-script" name="ntp.conf" dev=dm-0 ino=26089 scontext=system_u:system_r:dhcpc_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file type=1400 audit(1206128117.257:10): avc: denied { append } for pid=2434 comm="dhclient-script" name="ntp.conf" dev=dm-0 ino=26089 scontext=system_u:system_r:dhcpc_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file type=1400 audit(1206128117.257:11): avc: denied { append } for pid=2434 comm="dhclient-script" name="ntp.conf" dev=dm-0 ino=26089 scontext=system_u:system_r:dhcpc_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file type=1400 audit(1206128117.257:12): avc: denied { append } for pid=2434 comm="dhclient-script" name="ntp.conf" dev=dm-0 ino=26089 scontext=system_u:system_r:dhcpc_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file type=1400 audit(1206128117.258:13): avc: denied { append } for pid=2434 comm="dhclient-script" name="ntp.conf" dev=dm-0 ino=26089 scontext=system_u:system_r:dhcpc_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file
# audit2allow -R < audit.log
require { type var_run_t; type dhcpc_t; type hald_acl_t; type etc_t; class dir write; class file { write rename unlink append }; }
#============= dhcpc_t ============== allow dhcpc_t etc_t:file { write rename unlink append };
#============= hald_acl_t ============== allow hald_acl_t var_run_t:dir write;
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Chuck Anderson wrote:
It seems the policy needs an update to allow the dhclient-script to work properly:
type=1400 audit(1206128117.122:4): avc: denied { write } for pid=2475 comm="cp" name="resolv.conf.predhclient.eth3" dev=dm-0 ino=26088 scontext=system_u:system_r:dhcpc_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file type=1400 audit(1206128117.122:5): avc: denied { unlink } for pid=2475 comm="cp" name="resolv.conf.predhclient.eth3" dev=dm-0 ino=26088 scontext=system_u:system_r:dhcpc_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file type=1400 audit(1206128117.252:6): avc: denied { rename } for pid=2485 comm="mv" name="ntp.conf" dev=dm-0 ino=26089 scontext=system_u:system_r:dhcpc_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file type=1400 audit(1206128117.255:7): avc: denied { write } for pid=2486 comm="dhclient-script" name="ntp.conf" dev=dm-0 ino=26089 scontext=system_u:system_r:dhcpc_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file type=1400 audit(1206128117.255:8): avc: denied { write } for pid=2486 comm="dhclient-script" name="ntp.conf" dev=dm-0 ino=26089 scontext=system_u:system_r:dhcpc_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file type=1400 audit(1206128117.256:9): avc: denied { append } for pid=2434 comm="dhclient-script" name="ntp.conf" dev=dm-0 ino=26089 scontext=system_u:system_r:dhcpc_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file type=1400 audit(1206128117.257:10): avc: denied { append } for pid=2434 comm="dhclient-script" name="ntp.conf" dev=dm-0 ino=26089 scontext=system_u:system_r:dhcpc_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file type=1400 audit(1206128117.257:11): avc: denied { append } for pid=2434 comm="dhclient-script" name="ntp.conf" dev=dm-0 ino=26089 scontext=system_u:system_r:dhcpc_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file type=1400 audit(1206128117.257:12): avc: denied { append } for pid=2434 comm="dhclient-script" name="ntp.conf" dev=dm-0 ino=26089 scontext=system_u:system_r:dhcpc_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file type=1400 audit(1206128117.258:13): avc: denied { append } for pid=2434 comm="dhclient-script" name="ntp.conf" dev=dm-0 ino=26089 scontext=system_u:system_r:dhcpc_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file
# audit2allow -R < audit.log
require { type var_run_t; type dhcpc_t; type hald_acl_t; type etc_t; class dir write; class file { write rename unlink append }; }
#============= dhcpc_t ============== allow dhcpc_t etc_t:file { write rename unlink append };
#============= hald_acl_t ============== allow hald_acl_t var_run_t:dir write;
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Someone/thing mislabeled your resolv.conf
restorecon /etc/resolv.conf The hald_acl will be fixed tonight. Your policy module is dangerous
On Fri, Mar 21, 2008 at 07:17:14PM -0400, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Chuck Anderson wrote:
It seems the policy needs an update to allow the dhclient-script to work properly:
type=1400 audit(1206128117.122:4): avc: denied { write } for pid=2475 comm="cp" name="resolv.conf.predhclient.eth3" dev=dm-0
Someone/thing mislabeled your resolv.conf
restorecon /etc/resolv.conf The hald_acl will be fixed tonight. Your policy module is dangerous
This was on the very first boot of a fresh install of rawhide.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Chuck Anderson wrote:
On Fri, Mar 21, 2008 at 07:17:14PM -0400, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Chuck Anderson wrote:
It seems the policy needs an update to allow the dhclient-script to work properly:
type=1400 audit(1206128117.122:4): avc: denied { write } for pid=2475 comm="cp" name="resolv.conf.predhclient.eth3" dev=dm-0
Someone/thing mislabeled your resolv.conf
restorecon /etc/resolv.conf The hald_acl will be fixed tonight. Your policy module is dangerous
This was on the very first boot of a fresh install of rawhide.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Then rawhide has a bug in the creation of resolv.conf. Please open a bugzilla, on anaconda and CC me. Did you do anything special in firstboot? Anything special in your network setup? Please report any of this info in your bugzilla
On Sun, Mar 23, 2008 at 07:36:17AM -0400, Daniel J Walsh wrote:
This was on the very first boot of a fresh install of rawhide.
Then rawhide has a bug in the creation of resolv.conf. Please open a bugzilla, on anaconda and CC me. Did you do anything special in firstboot? Anything special in your network setup? Please report any of this info in your bugzilla
Ok, I'll try to reproduce it with a new reinstall. This was an X-less install, and I booted into runlevel 3 from grub on the first boot, so firstboot didn't run. I also noticed that the network service was turned off, so I started networking manually the first time:
service network start
Perhaps that's why this happened, but I should try it again to be sure I have the exact steps to reproduce this.
selinux@lists.fedoraproject.org
-
Chuck Anderson -
Daniel J Walsh