[DSE-Dev] Bug#756729: selinux-policy-default: Setting SELinux to enforce results in not configured network interface at boot time

Andreas Florath andre at flonatel.org
Fri Aug 1 05:14:05 UTC 2014 

Package: selinux-policy-default
Version: 2:2.20110726-12
Severity: important

Dear Maintainer,

after enableing SELinux the eth0 network device is not longer configured automatically during boot time.

There is a similar bug
 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=728950
but it differs in the command. Here it is 'dhclient' there the scripts.

IMHO this is an 'important' bug, because systems using dhcp cannot switch to enforce - or they will not work properly any more.

The eth0 device is configured as:

allow-hotplug eth0
iface eth0 inet dhcp

After booting with SELinux set to enforced the eth0 network interface is not configured. ifconfig shows only 'lo'.

During boot, the following two AVCs are reported:

Jul 31 12:55:55 debtest kernel: [    4.489454] type=1400 audit(1406804155.296:5): avc:  denied  { name_bind } for  pid=1677 comm="dhclient" src=1356 scontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
Jul 31 12:55:55 debtest kernel: [    4.489641] type=1400 audit(1406804155.296:6): avc:  denied  { name_bind } for  pid=1677 comm="dhclient" src=14762 scontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket

When I use these both lines as input to 'audit2allow' and 'semodule

$ audit2allow -M localdhclient
$ semodule -i localdhclient.pp

after booting, the interface comes up, but it looks that the further setup needs 'hostname' and 'ip':

Jul 31 13:39:41 debtest kernel: [    4.954371] type=1400 audit(1406806780.651:5): avc:  denied  { read write } for  pid=1723 comm="ip" path="socket:[7251]" dev=sockfs ino=7251 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket
Jul 31 13:39:41 debtest kernel: [    4.954457] type=1400 audit(1406806780.651:6): avc:  denied  { read write } for  pid=1723 comm="ip" path="socket:[7252]" dev=sockfs ino=7252 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket
Jul 31 13:39:41 debtest kernel: [    5.005695] type=1400 audit(1406806780.703:7): avc:  denied  { read write } for  pid=1751 comm="hostname" path="socket:[7251]" dev=sockfs ino=7251 scontext=system_u:system_r:hostname_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket
Jul 31 13:39:41 debtest kernel: [    5.005781] type=1400 audit(1406806780.703:8): avc:  denied  { read write } for  pid=1751 comm="hostname" path="socket:[7252]" dev=sockfs ino=7252 scontext=system_u:system_r:hostname_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket
Jul 31 13:39:41 debtest kernel: [    5.007904] type=1400 audit(1406806780.703:9): avc:  denied  { read write } for  pid=1752 comm="ip" path="socket:[7251]" dev=sockfs ino=7251 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket
Jul 31 13:39:41 debtest kernel: [    5.007988] type=1400 audit(1406806780.703:10): avc:  denied  { read write } for  pid=1752 comm="ip" path="socket:[7252]" dev=sockfs ino=7252 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket

After another 'autid2allow' and 'semodule' there are no further AVCs in the log after a reboot and the interface works fine.

Kind regards

Andre

-- System Information:
Debian Release: 7.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.3-7.1
ii  libselinux1      2.1.9-5
ii  libsepol1        2.1.4-3
ii  policycoreutils  2.1.10-9
ii  python           2.7.3-4+deb7u1

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.1.8-2
pn  setools      <none>

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- no debconf information

More information about the SELinux-devel mailing list