[DSE-Dev] Bug#756729: Bug#756729: selinux-policy-default: Setting SELinux to enforce results in not configured network interface at boot time

Mika Pflüger debian at mikapflueger.de
Fri Aug 1 09:20:51 UTC 2014 

Hi,

Andreas Florath <andre at flonatel.org> wrote:
> Package: selinux-policy-default
> Version: 2:2.20110726-12
> Severity: important
> 
> Dear Maintainer,
> 
> after enableing SELinux the eth0 network device is not longer
> configured automatically during boot time.
> 
> There is a similar bug
>  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=728950
> but it differs in the command. Here it is 'dhclient' there the
> scripts.
> 
> IMHO this is an 'important' bug, because systems using dhcp cannot
> switch to enforce - or they will not work properly any more.
> 
> The eth0 device is configured as:
> 
> allow-hotplug eth0
> iface eth0 inet dhcp
> 
> After booting with SELinux set to enforced the eth0 network interface
> is not configured. ifconfig shows only 'lo'.
> 
> During boot, the following two AVCs are reported:
> 
> Jul 31 12:55:55 debtest kernel: [    4.489454] type=1400
> audit(1406804155.296:5): avc:  denied  { name_bind } for  pid=1677
> comm="dhclient" src=1356
> scontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:port_t:s0 tclass=udp_socket Jul 31
> 12:55:55 debtest kernel: [    4.489641] type=1400
> audit(1406804155.296:6): avc:  denied  { name_bind } for  pid=1677
> comm="dhclient" src=14762
> scontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
> 
> When I use these both lines as input to 'audit2allow' and 'semodule
> 
> $ audit2allow -M localdhclient
> $ semodule -i localdhclient.pp
> 
> after booting, the interface comes up, but it looks that the further
> setup needs 'hostname' and 'ip':
> 
> Jul 31 13:39:41 debtest kernel: [    4.954371] type=1400
> audit(1406806780.651:5): avc:  denied  { read write } for  pid=1723
> comm="ip" path="socket:[7251]" dev=sockfs ino=7251
> scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket
> Jul 31 13:39:41 debtest kernel: [    4.954457] type=1400
> audit(1406806780.651:6): avc:  denied  { read write } for  pid=1723
> comm="ip" path="socket:[7252]" dev=sockfs ino=7252
> scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket
> Jul 31 13:39:41 debtest kernel: [    5.005695] type=1400
> audit(1406806780.703:7): avc:  denied  { read write } for  pid=1751
> comm="hostname" path="socket:[7251]" dev=sockfs ino=7251
> scontext=system_u:system_r:hostname_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket
> Jul 31 13:39:41 debtest kernel: [    5.005781] type=1400
> audit(1406806780.703:8): avc:  denied  { read write } for  pid=1751
> comm="hostname" path="socket:[7252]" dev=sockfs ino=7252
> scontext=system_u:system_r:hostname_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket
> Jul 31 13:39:41 debtest kernel: [    5.007904] type=1400
> audit(1406806780.703:9): avc:  denied  { read write } for  pid=1752
> comm="ip" path="socket:[7251]" dev=sockfs ino=7251
> scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket
> Jul 31 13:39:41 debtest kernel: [    5.007988] type=1400
> audit(1406806780.703:10): avc:  denied  { read write } for  pid=1752
> comm="ip" path="socket:[7252]" dev=sockfs ino=7252
> scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket
> 
> After another 'autid2allow' and 'semodule' there are no further AVCs
> in the log after a reboot and the interface works fine.
> 


Could you provide the output of
# sestatus
# semodule -l
and also which init system you are using?

Cheers,

Mika

-- 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20140801/dd1589a1/attachment-0001.sig>

More information about the SELinux-devel mailing list