[DSE-Dev] Bug#728950: selinux-policy-default: dhclient-script is not allowed to run external commands

Leos Bitto Leos.Bitto at gmail.com
Thu Nov 7 08:25:09 UTC 2013 

Package: selinux-policy-default
Version: 2:2.20110726-12
Severity: important

Dear Maintainer,

I use DHCP to configure my network interface, this is the relevant part of
/etc/network/interfaces:

auto eth2
iface eth2 inet dhcp

I have SELinux configured, which means that every time when my IP address is renewed,
SELinux blocks running a lot of commands from dhclient-script:

----
time->Thu Nov  7 06:39:24 2013
type=SYSCALL msg=audit(1383802764.711:777): arch=c000003e syscall=4 success=no exit=-13 a0=2646908 a1=7fffd8e0a0a0 a2=7fffd8e0a0a0 a3=8 items=0 ppid=1949 pid=29169 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dhclient-script" exe="/bin/bash" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1383802764.711:777): avc:  denied  { search } for  pid=29169 comm="dhclient-script" name="samba" dev=sda2 ino=132229 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:samba_etc_t:s0 tclass=dir
----
time->Thu Nov  7 06:39:24 2013
type=SYSCALL msg=audit(1383802764.711:778): arch=c000003e syscall=2 success=no exit=-13 a0=2646208 a1=241 a2=1b6 a3=8 items=0 ppid=1949 pid=29169 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dhclient-script" exe="/bin/bash" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1383802764.711:778): avc:  denied  { search } for  pid=29169 comm="dhclient-script" name="samba" dev=sda2 ino=132229 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:samba_etc_t:s0 tclass=dir
----
time->Thu Nov  7 06:39:24 2013
type=SYSCALL msg=audit(1383802764.715:779): arch=c000003e syscall=4 success=no exit=-13 a0=7fff7aa55cb1 a1=7fff7aa54600 a2=7fff7aa54600 a3=0 items=0 ppid=29169 pid=29171 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mv" exe="/bin/mv" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1383802764.715:779): avc:  denied  { search } for  pid=29171 comm="mv" name="samba" dev=sda2 ino=132229 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:samba_etc_t:s0 tclass=dir
----
time->Thu Nov  7 06:39:24 2013
type=SYSCALL msg=audit(1383802764.719:780): arch=c000003e syscall=4 success=no exit=-13 a0=2650108 a1=7fffd8e09750 a2=7fffd8e09750 a3=8 items=0 ppid=1949 pid=29169 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dhclient-script" exe="/bin/bash" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1383802764.719:780): avc:  denied  { search } for  pid=29169 comm="dhclient-script" name="ntp" dev=sda2 ino=395805 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:ntp_drift_t:s0 tclass=dir
----
time->Thu Nov  7 06:39:24 2013
type=SYSCALL msg=audit(1383802764.719:781): arch=c000003e syscall=4 success=no exit=-13 a0=2651948 a1=7fffd8e09100 a2=7fffd8e09100 a3=8 items=0 ppid=1949 pid=29169 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dhclient-script" exe="/bin/bash" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1383802764.719:781): avc:  denied  { search } for  pid=29169 comm="dhclient-script" name="ntp" dev=sda2 ino=395805 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:ntp_drift_t:s0 tclass=dir
----

I would expect SELinux to allow running everything from dhclient-script.

-- System Information:
Debian Release: 7.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.3-7.1
ii  libselinux1      2.1.9-5
ii  libsepol1        2.1.4-3
ii  policycoreutils  2.1.10-9
ii  python           2.7.3-4+deb7u1

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.1.8-2
pn  setools      <none>

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- Configuration Files:
/etc/selinux/default/modules/active/file_contexts.local [Errno 13] Permission denied: u'/etc/selinux/default/modules/active/file_contexts.local'

-- no debconf information

More information about the SELinux-devel mailing list