Hi, Andreas Florath <an...@flonatel.org> wrote: > Package: selinux-policy-default > Version: 2:2.20110726-12 > Severity: important > > Dear Maintainer, > > after enableing SELinux the eth0 network device is not longer > configured automatically during boot time. > > There is a similar bug > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=728950 > but it differs in the command. Here it is 'dhclient' there the > scripts. > > IMHO this is an 'important' bug, because systems using dhcp cannot > switch to enforce - or they will not work properly any more. > > The eth0 device is configured as: > > allow-hotplug eth0 > iface eth0 inet dhcp > > After booting with SELinux set to enforced the eth0 network interface > is not configured. ifconfig shows only 'lo'. > > During boot, the following two AVCs are reported: > > Jul 31 12:55:55 debtest kernel: [ 4.489454] type=1400 > audit(1406804155.296:5): avc: denied { name_bind } for pid=1677 > comm="dhclient" src=1356 > scontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:port_t:s0 tclass=udp_socket Jul 31 > 12:55:55 debtest kernel: [ 4.489641] type=1400 > audit(1406804155.296:6): avc: denied { name_bind } for pid=1677 > comm="dhclient" src=14762 > scontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:port_t:s0 tclass=udp_socket > > When I use these both lines as input to 'audit2allow' and 'semodule > > $ audit2allow -M localdhclient > $ semodule -i localdhclient.pp > > after booting, the interface comes up, but it looks that the further > setup needs 'hostname' and 'ip': > > Jul 31 13:39:41 debtest kernel: [ 4.954371] type=1400 > audit(1406806780.651:5): avc: denied { read write } for pid=1723 > comm="ip" path="socket:[7251]" dev=sockfs ino=7251 > scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 > tcontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket > Jul 31 13:39:41 debtest kernel: [ 4.954457] type=1400 > audit(1406806780.651:6): avc: denied { read write } for pid=1723 > comm="ip" path="socket:[7252]" dev=sockfs ino=7252 > scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 > tcontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket > Jul 31 13:39:41 debtest kernel: [ 5.005695] type=1400 > audit(1406806780.703:7): avc: denied { read write } for pid=1751 > comm="hostname" path="socket:[7251]" dev=sockfs ino=7251 > scontext=system_u:system_r:hostname_t:s0-s0:c0.c1023 > tcontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket > Jul 31 13:39:41 debtest kernel: [ 5.005781] type=1400 > audit(1406806780.703:8): avc: denied { read write } for pid=1751 > comm="hostname" path="socket:[7252]" dev=sockfs ino=7252 > scontext=system_u:system_r:hostname_t:s0-s0:c0.c1023 > tcontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket > Jul 31 13:39:41 debtest kernel: [ 5.007904] type=1400 > audit(1406806780.703:9): avc: denied { read write } for pid=1752 > comm="ip" path="socket:[7251]" dev=sockfs ino=7251 > scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 > tcontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket > Jul 31 13:39:41 debtest kernel: [ 5.007988] type=1400 > audit(1406806780.703:10): avc: denied { read write } for pid=1752 > comm="ip" path="socket:[7252]" dev=sockfs ino=7252 > scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 > tcontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket > > After another 'autid2allow' and 'semodule' there are no further AVCs > in the log after a reboot and the interface works fine. >
Could you provide the output of # sestatus # semodule -l and also which init system you are using? Cheers, Mika --
signature.asc
Description: PGP signature
