I have USERCTL=yes in my /etc/sysconfig/network-scripts/ifcfg-wvlan0 and I run "ifup wvlan0" as a non-privileged user. Of course, this generates a long list of AVC messages. Should there be some special policy provisions for the usernetctl?
security_compute_sid: invalid context user_u:user_r:insmod_t for scontext=user_u:user_r:user_t tcontext=system_u:object_r:insmod_exec_t tclass=process audit(1079121920.219:0): avc: denied { read write } for pid=1123 exe=/sbin/insmod path=/dev/pts/9 dev= ino=11 scontext=user_u:user_r:insmod_t tcontext=user_u:object_r:user_devpts_t tclass=chr_file audit(1079121920.231:0): avc: denied { getattr } for pid=1046 exe=/bin/bash path=/etc/dhclient.conf dev=hda2 ino=231943 scontext=user_u:user_r:user_t tcontext=system_u:object_r:dhcp_etc_t tclass=file audit(1079121920.233:0): avc: denied { create } for pid=1124 exe=/bin/bash name=dhclient-wvlan0.conf.ifupnew scontext=user_u:user_r:user_t tcontext=user_u:object_r:etc_t tclass=file audit(1079121920.234:0): avc: denied { getattr } for pid=17337 exe=/usr/bin/fam path=/etc/mtab dev=hda2 ino=229229 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:etc_runtime_t tclass=file audit(1079121920.237:0): avc: denied { read } for pid=1124 exe=/bin/grep name=dhclient.conf dev=hda2 ino=231943 scontext=user_u:user_r:user_t tcontext=system_u:object_r:dhcp_etc_t tclass=file audit(1079121920.254:0): avc: denied { write } for pid=1124 exe=/bin/grep path=/etc/dhclient-wvlan0.conf.ifupnew dev=hda2 ino=2191270 scontext=user_u:user_r:user_t tcontext=user_u:object_r:etc_t tclass=file audit(1079121920.259:0): avc: denied { write } for pid=1125 exe=/bin/bash name=dhclient.conf dev=hda2 ino=231943 scontext=user_u:user_r:user_t tcontext=system_u:object_r:dhcp_etc_t tclass=file audit(1079121920.268:0): avc: denied { unlink } for pid=1126 exe=/bin/rm name=dhclient-wvlan0.conf.ifupnew dev=hda2 ino=2191270 scontext=user_u:user_r:user_t tcontext=user_u:object_r:etc_t tclass=file audit(1079121920.421:0): avc: denied { search } for pid=1144 exe=/sbin/dhclient name=dhcp dev=hda2 ino=1815097 scontext=user_u:user_r:user_t tcontext=system_u:object_r:dhcp_state_t tclass=dir audit(1079121920.422:0): avc: denied { read } for pid=1144 exe=/sbin/dhclient name=dhclient-wvlan0.leases dev=hda2 ino=1815259 scontext=user_u:user_r:user_t tcontext=system_u:object_r:dhcpc_state_t tclass=file audit(1079121920.422:0): avc: denied { write } for pid=1144 exe=/sbin/dhclient name=dhclient-wvlan0.leases dev=hda2 ino=1815259 scontext=user_u:user_r:user_t tcontext=system_u:object_r:dhcpc_state_t tclass=file audit(1079121920.442:0): avc: denied { getattr } for pid=1144 exe=/sbin/dhclient path=/var/lib/dhcp/dhclient-wvlan0.leases dev=hda2 ino=1815259 scontext=user_u:user_r:user_t tcontext=system_u:object_r:dhcpc_state_t tclass=file wvlan0: New link status: Connected (0001) audit(1079121921.923:0): avc: denied { create } for pid=1144 exe=/sbin/dhclient scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=packet_socket audit(1079121921.923:0): avc: denied { bind } for pid=1144 exe=/sbin/dhclient scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=packet_socket audit(1079121921.928:0): avc: denied { setopt } for pid=1144 exe=/sbin/dhclient scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=packet_socket audit(1079121921.928:0): avc: denied { name_bind } for pid=1144 exe=/sbin/dhclient src=68 scontext=user_u:user_r:user_t tcontext=system_u:object_r:dhcpc_port_t tclass=udp_socket audit(1079121921.929:0): avc: denied { write } for pid=1144 exe=/sbin/dhclient scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=packet_socket audit(1079121922.935:0): avc: denied { read } for pid=1144 exe=/sbin/dhclient path=socket:[5287768] dev= ino=5287768 scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=packet_socket audit(1079121923.662:0): avc: denied { write } for pid=1247 exe=/sbin/dhclient name=dhclient-wvlan0.pid dev=hda2 ino=179909 scontext=user_u:user_r:user_t tcontext=system_u:object_r:dhcpc_var_run_t tclass=file
On Sat, 13 Mar 2004 07:10, Aleksey Nogin aleksey@nogin.org wrote:
I have USERCTL=yes in my /etc/sysconfig/network-scripts/ifcfg-wvlan0 and I run "ifup wvlan0" as a non-privileged user. Of course, this generates a long list of AVC messages. Should there be some special policy provisions for the usernetctl?
security_compute_sid: invalid context user_u:user_r:insmod_t for scontext=user_u:user_r:user_t tcontext=system_u:object_r:insmod_exec_t tclass=process
You just don't do such things as user_r, they should be done as sysadm_r.
Russell Coker (russell@coker.com.au) said:
I have USERCTL=yes in my /etc/sysconfig/network-scripts/ifcfg-wvlan0 and I run "ifup wvlan0" as a non-privileged user. Of course, this generates a long list of AVC messages. Should there be some special policy provisions for the usernetctl?
security_compute_sid: invalid context user_u:user_r:insmod_t for scontext=user_u:user_r:user_t tcontext=system_u:object_r:insmod_exec_t tclass=process
You just don't do such things as user_r, they should be done as sysadm_r.
This breaks installed systems, though. I suppose usernetctl needs to change roles.
Bill
Hi,
On Mon, 2004-03-15 at 16:02, Bill Nottingham wrote:
Russell Coker (russell@coker.com.au) said:
security_compute_sid: invalid context user_u:user_r:insmod_t for scontext=user_u:user_r:user_t tcontext=system_u:object_r:insmod_exec_t tclass=process
You just don't do such things as user_r, they should be done as sysadm_r.
This breaks installed systems, though. I suppose usernetctl needs to change roles.
Is there a bugzilla for this yet? I don't want it to slip through the cracks.
--Stephen
selinux@lists.fedoraproject.org
-
Aleksey Nogin -
Bill Nottingham -
Russell Coker -
Stephen C. Tweedie