I get one of these every time my DHCP lease is renewed:
type=AVC msg=audit(1247181873.317:23522): avc: denied { create } for pid=31499 comm="mv" name="yp.conf.predhclient.br0" scontext=unconfined_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file type=SYSCALL msg=audit(1247181873.317:23522): arch=c000003e syscall=2 success=no exit=-13 a0=7fff9e36ebcc a1=c1 a2=180 a3=65726373662f7274 items=0 ppid=31485 pid=31499 auid=1012 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="mv" exe="/bin/mv" subj=unconfined_u:system_r:dhcpc_t:s0 key=(null)
It originates from /etc/dhcp/dhclient.d/nis.sh in the ypbind package.
Paul..
On 07/10/2009 03:58 AM, Paul Howarth wrote:
I get one of these every time my DHCP lease is renewed:
type=AVC msg=audit(1247181873.317:23522): avc: denied { create } for pid=31499 comm="mv" name="yp.conf.predhclient.br0" scontext=unconfined_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file type=SYSCALL msg=audit(1247181873.317:23522): arch=c000003e syscall=2 success=no exit=-13 a0=7fff9e36ebcc a1=c1 a2=180 a3=65726373662f7274 items=0 ppid=31485 pid=31499 auid=1012 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="mv" exe="/bin/mv" subj=unconfined_u:system_r:dhcpc_t:s0 key=(null)
It originates from /etc/dhcp/dhclient.d/nis.sh in the ypbind package.
Paul..
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
That is a new one, looks like you started dhclient by hand, and it is running as unconfined_u:system_r:dhcpc_t:s0, But some where in the tool it is trying to create a file labeled system_u:object_r:net_conf_t:s0
unconfined_u creating a file with a user type of system_u is a constraint violation.
The mv command tries to maintain the context of the context of the yp.conf.predhclient.br0 file which must have been created by dhclient when it was run as a service, so you get this denial.
So I guess we need to allow dhcpc_t the ability to change the user componant of a file.
Who said SELinux is not simple... :^(
If you add the following in a module it should allow your app to work.
domain_obj_id_change_exemption(dhcpc_t)
Miroslav can you add this to sysnetwork.te for F10, F11.
On 10/07/09 13:50, Daniel J Walsh wrote:
On 07/10/2009 03:58 AM, Paul Howarth wrote:
I get one of these every time my DHCP lease is renewed:
type=AVC msg=audit(1247181873.317:23522): avc: denied { create } for pid=31499 comm="mv" name="yp.conf.predhclient.br0" scontext=unconfined_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file type=SYSCALL msg=audit(1247181873.317:23522): arch=c000003e syscall=2 success=no exit=-13 a0=7fff9e36ebcc a1=c1 a2=180 a3=65726373662f7274 items=0 ppid=31485 pid=31499 auid=1012 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="mv" exe="/bin/mv" subj=unconfined_u:system_r:dhcpc_t:s0 key=(null)
It originates from /etc/dhcp/dhclient.d/nis.sh in the ypbind package.
Paul..
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
That is a new one, looks like you started dhclient by hand, and it is running as unconfined_u:system_r:dhcpc_t:s0, But some where in the tool it is trying to create a file labeled system_u:object_r:net_conf_t:s0
unconfined_u creating a file with a user type of system_u is a constraint violation.
The mv command tries to maintain the context of the context of the yp.conf.predhclient.br0 file which must have been created by dhclient when it was run as a service, so you get this denial.
So I guess we need to allow dhcpc_t the ability to change the user componant of a file.
Who said SELinux is not simple... :^(
I seem to have a lot of processes like this:
# ps uaxZ|grep unconfined_u:system_r: unconfined_u:system_r:auditd_t:s0 root 701 0.0 0.0 27464 428 ? S<sl Jun24 0:00 auditd unconfined_u:system_r:audisp_t:s0 root 703 0.0 0.0 81920 420 ? S<sl Jun24 0:00 /sbin/audispd unconfined_u:system_r:audisp_t:s0 root 704 0.0 0.0 97764 648 ? S< Jun24 0:00 /usr/sbin/sedispatch unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 5678 0.0 0.0 89008 788 pts/0 S+ 14:00 0:00 grep unconfined_u:system_r: unconfined_u:system_r:ntpd_t:s0 ntp 5700 0.0 0.0 58984 696 ? Ss Jun23 0:04 ntpd -u ntp:ntp -p /var/run/ntpd.pid -g unconfined_u:system_r:dhcpc_t:s0 root 5702 0.0 0.0 6856 356 ? Ss Jun23 0:00 /sbin/dhclient -1 -q -lf /var/lib/dhclient/dhclient-br0.leases -pf /var/run/dhclient-br0.pid br0 unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 root 5835 0.3 0.1 466888 2844 ? Sl Jun23 74:12 libvirtd --daemon unconfined_u:system_r:dnsmasq_t:s0-s0:c0.c1023 nobody 5895 0.0 0.0 12584 300 ? S Jun23 0:00 /usr/sbin/dnsmasq --strict-order --bind-interfaces --pid-file=/var/run/libvirt/network/default.pid --conf-file= --listen-address 192.168.122.1 --except-interface lo --dhcp-range 192.168.122.2,192.168.122.254 unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 root 9606 0.0 0.0 63236 312 ? Ss Jun23 0:00 /usr/sbin/sshd unconfined_u:system_r:avahi_t:s0 avahi 9690 0.0 0.0 60036 912 ? Ss Jul01 0:00 avahi-daemon: registering [roary.local] unconfined_u:system_r:avahi_t:s0 avahi 9691 0.0 0.0 59868 156 ? Ss Jul01 0:00 avahi-daemon: chroot helper unconfined_u:system_r:rpcbind_t:s0 rpc 17479 0.0 0.0 18788 308 ? Ss Jun29 0:00 rpcbind -w unconfined_u:system_r:crond_t:s0-s0:c0.c1023 root 17538 0.0 0.0 100292 464 ? Ss Jun29 0:02 crond
Why are some processes starting in system_u and some in unconfined_u? I'm always mindful to do "service xyz restart" rather than starting things manually. It's not just one machine either.
Paul.
On 07/10/2009 09:03 AM, Paul Howarth wrote:
On 10/07/09 13:50, Daniel J Walsh wrote:
On 07/10/2009 03:58 AM, Paul Howarth wrote:
I get one of these every time my DHCP lease is renewed:
type=AVC msg=audit(1247181873.317:23522): avc: denied { create } for pid=31499 comm="mv" name="yp.conf.predhclient.br0" scontext=unconfined_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file type=SYSCALL msg=audit(1247181873.317:23522): arch=c000003e syscall=2 success=no exit=-13 a0=7fff9e36ebcc a1=c1 a2=180 a3=65726373662f7274 items=0 ppid=31485 pid=31499 auid=1012 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="mv" exe="/bin/mv" subj=unconfined_u:system_r:dhcpc_t:s0 key=(null)
It originates from /etc/dhcp/dhclient.d/nis.sh in the ypbind package.
Paul..
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
That is a new one, looks like you started dhclient by hand, and it is running as unconfined_u:system_r:dhcpc_t:s0, But some where in the tool it is trying to create a file labeled system_u:object_r:net_conf_t:s0
unconfined_u creating a file with a user type of system_u is a constraint violation.
The mv command tries to maintain the context of the context of the yp.conf.predhclient.br0 file which must have been created by dhclient when it was run as a service, so you get this denial.
So I guess we need to allow dhcpc_t the ability to change the user componant of a file.
Who said SELinux is not simple... :^(
I seem to have a lot of processes like this:
# ps uaxZ|grep unconfined_u:system_r: unconfined_u:system_r:auditd_t:s0 root 701 0.0 0.0 27464 428 ? S<sl Jun24 0:00 auditd unconfined_u:system_r:audisp_t:s0 root 703 0.0 0.0 81920 420 ? S<sl Jun24 0:00 /sbin/audispd unconfined_u:system_r:audisp_t:s0 root 704 0.0 0.0 97764 648 ? S< Jun24 0:00 /usr/sbin/sedispatch unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 5678 0.0 0.0 89008 788 pts/0 S+ 14:00 0:00 grep unconfined_u:system_r: unconfined_u:system_r:ntpd_t:s0 ntp 5700 0.0 0.0 58984 696 ? Ss Jun23 0:04 ntpd -u ntp:ntp -p /var/run/ntpd.pid -g unconfined_u:system_r:dhcpc_t:s0 root 5702 0.0 0.0 6856 356 ? Ss Jun23 0:00 /sbin/dhclient -1 -q -lf /var/lib/dhclient/dhclient-br0.leases -pf /var/run/dhclient-br0.pid br0 unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 root 5835 0.3 0.1 466888 2844 ? Sl Jun23 74:12 libvirtd --daemon unconfined_u:system_r:dnsmasq_t:s0-s0:c0.c1023 nobody 5895 0.0 0.0 12584 300 ? S Jun23 0:00 /usr/sbin/dnsmasq --strict-order --bind-interfaces --pid-file=/var/run/libvirt/network/default.pid --conf-file= --listen-address 192.168.122.1 --except-interface lo --dhcp-range 192.168.122.2,192.168.122.254 unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 root 9606 0.0 0.0 63236 312 ? Ss Jun23 0:00 /usr/sbin/sshd unconfined_u:system_r:avahi_t:s0 avahi 9690 0.0 0.0 60036 912 ? Ss Jul01 0:00 avahi-daemon: registering [roary.local] unconfined_u:system_r:avahi_t:s0 avahi 9691 0.0 0.0 59868 156 ? Ss Jul01 0:00 avahi-daemon: chroot helper unconfined_u:system_r:rpcbind_t:s0 rpc 17479 0.0 0.0 18788 308 ? Ss Jun29 0:00 rpcbind -w unconfined_u:system_r:crond_t:s0-s0:c0.c1023 root 17538 0.0 0.0 100292 464 ? Ss Jun29 0:02 crond
Why are some processes starting in system_u and some in unconfined_u? I'm always mindful to do "service xyz restart" rather than starting things manually. It's not just one machine either.
Paul.
If you execute service xyz restart, xyz will run as unconfined_u, if the system does it at boot it will run as system_u. You can use run_init if you choose to get it to run as system_u run_init service xyz restart (If you want to use this form, put pam_rootok in /etc/pam.d/run_init, for you sanity. :^))
On Fri, 10 Jul 2009 09:46:46 -0400 Daniel wrote: DJW> If you execute service xyz restart, xyz will run as unconfined_u, if the DJW> system does it at boot it will run as system_u. You can use run_init if DJW> you choose to get it to run as system_u
I've always wondered why service doesn't check for selinux and re-run itself via run_init...
On 07/10/2009 01:29 PM, Robert Story wrote:
On Fri, 10 Jul 2009 09:46:46 -0400 Daniel wrote: DJW> If you execute service xyz restart, xyz will run as unconfined_u, if the DJW> system does it at boot it will run as system_u. You can use run_init if DJW> you choose to get it to run as system_u
I've always wondered why service doesn't check for selinux and re-run itself via run_init...
Mainly because run_init requires a password by default, and we did not want to change it to pam_rootok, by default.
On 07/10/2009 02:50 PM, Daniel J Walsh wrote:
On 07/10/2009 03:58 AM, Paul Howarth wrote:
I get one of these every time my DHCP lease is renewed:
type=AVC msg=audit(1247181873.317:23522): avc: denied { create } for pid=31499 comm="mv" name="yp.conf.predhclient.br0" scontext=unconfined_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file type=SYSCALL msg=audit(1247181873.317:23522): arch=c000003e syscall=2 success=no exit=-13 a0=7fff9e36ebcc a1=c1 a2=180 a3=65726373662f7274 items=0 ppid=31485 pid=31499 auid=1012 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="mv" exe="/bin/mv" subj=unconfined_u:system_r:dhcpc_t:s0 key=(null)
It originates from /etc/dhcp/dhclient.d/nis.sh in the ypbind package.
Paul..
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
That is a new one, looks like you started dhclient by hand, and it is running as unconfined_u:system_r:dhcpc_t:s0, But some where in the tool it is trying to create a file labeled system_u:object_r:net_conf_t:s0
unconfined_u creating a file with a user type of system_u is a constraint violation.
The mv command tries to maintain the context of the context of the yp.conf.predhclient.br0 file which must have been created by dhclient when it was run as a service, so you get this denial.
So I guess we need to allow dhcpc_t the ability to change the user componant of a file.
Who said SELinux is not simple... :^(
If you add the following in a module it should allow your app to work.
domain_obj_id_change_exemption(dhcpc_t)
Miroslav can you add this to sysnetwork.te for F10, F11.
I will add this to selinux-policy-3.6.12-66.fc11 and selinux-policy-3.5.13-67.fc10
selinux@lists.fedoraproject.org