190100 – sys-apps/baselayout-2.0.0_rc3-r1 - net.ethX - interface not started in selinux context

Bug 190100 - sys-apps/baselayout-2.0.0_rc3-r1 - net.ethX - interface not started in selinux context

Summary: sys-apps/baselayout-2.0.0_rc3-r1 - net.ethX - interface not started in selinu...

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	New packages (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	SE Linux Bugs

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2007-08-24 21:56 UTC by Alon Bar-Lev (RETIRED)
Modified:	2009-12-16 14:40 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alon Bar-Lev (RETIRED) gentoo-dev

2007-08-24 21:56:00 UTC

Hello,

/etc/init.d/net.eth0 start

Stays in inactive state if I execute it from selinux root context.

Aug 25 00:51:09 alon1 /etc/init.d/net.eth0[8933]: WARNING: net.eth0 has started, but is inactive
Aug 25 00:51:09 alon1 wpa_cli: interface eth0 CONNECTED
Aug 25 00:51:11 alon1 dnsmasq[7695]: no servers found in /etc/resolv.conf, will retry
Aug 25 00:51:12 alon1 wpa_cli: executing '/etc/init.d/net.eth0 --quiet start' failed

If I start it from su environment it succeeds:

Aug 25 00:51:58 alon1 /etc/init.d/net.eth0[9367]: WARNING: net.eth0 has started, but is inactive
Aug 25 00:51:58 alon1 wpa_cli: interface eth0 CONNECTED
Aug 25 00:51:59 alon1 dhcpcd[9490]: eth0: dhcpcd 3.0.16 starting

Comment 1 Roy Marples (RETIRED) gentoo-dev

2007-08-25 09:06:18 UTC

I have no idea about SELinux - the only hook we've ever had is in runscript.c and it's still there. The SELinux team will have to solve this.

Comment 2 Arthur Hagen 2007-09-09 13:19:31 UTC

(In reply to comment #0)
> Hello,
> 
> /etc/init.d/net.eth0 start
> 
> Stays in inactive state if I execute it from selinux root context.

Any scripts in /etc/init.d/ that are called manually have to be started from a sysadm_r role to be able to change its context so the process can access its files.

# newrole -r sysadm_r
[enter password]
# /etc/init.d/net.eth0 start
[enter password]

This is deliberate.

Otherwise, if you have manually edited files in /etc, they might not be labeled correctly, especially if using vim (try nvi instead).  If so, try (as root, in an sysadm_r role):

# restorecon -vR /etc

Alternatively, if you have a lot of labels set wrong, "rlpkg -a" is your friend.  However, it will take a LONG time.

Comment 3 Alon Bar-Lev (RETIRED) gentoo-dev

2007-09-09 21:14:45 UTC

(In reply to comment #2)
> # newrole -r sysadm_r
> [enter password]
> # /etc/init.d/net.eth0 start
> [enter password]
> 
> This is deliberate.

I know... Only net.ethX does not work during the pending->active transition.

> 
> Otherwise, if you have manually edited files in /etc, they might not be labeled
> correctly, especially if using vim (try nvi instead). 

Can't vi be patched to solve the above?

> If so, try (as root, in
> an sysadm_r role):
> 
> # restorecon -vR /etc
> 
> Alternatively, if you have a lot of labels set wrong, "rlpkg -a" is your
> friend.  However, it will take a LONG time.
> 

Done, and does not work...

Please note the following:

Sep 10 00:04:14 alon1 audit(1189371854.165:1726): avc:  denied  { read } for  pid=8412 comm="start-stop-daem" name="001" dev=tmpfs ino=99895 scontext=root:sysadm_r:run_init_t tcontext=root:object_r:tmpfs_t tclass=file
Sep 10 00:04:14 alon1 audit(1189371854.165:1727): avc:  denied  { read } for  pid=8407 comm="wpa_supplicant" scontext=root:sysadm_r:run_init_t tcontext=root:sysadm_r:run_init_t tclass=netlink_route_socket
Sep 10 00:04:14 alon1 audit(1189371854.665:1728): avc:  denied  { write } for  pid=8407 comm="wpa_supplicant" scontext=root:sysadm_r:run_init_t tcontext=root:sysadm_r:run_init_t tclass=netlink_route_socket
Sep 10 00:04:14 alon1 audit(1189371854.665:1729): avc:  denied  { nlmsg_write } for  pid=8407 comm="wpa_supplicant" scontext=root:sysadm_r:run_init_t tcontext=root:sysadm_r:run_init_t tclass=netlink_route_socket
Sep 10 00:04:14 alon1 audit(1189371854.665:1730): avc:  denied  { read } for  pid=8407 comm="wpa_supplicant" scontext=root:sysadm_r:run_init_t tcontext=root:sysadm_r:run_init_t tclass=packet_socket
Sep 10 00:04:14 alon1 audit(1189371854.665:1731): avc:  denied  { write } for  pid=8407 comm="wpa_supplicant" scontext=root:sysadm_r:run_init_t tcontext=root:sysadm_r:run_init_t tclass=packet_socket
Sep 10 00:04:14 alon1 audit(1189371854.665:1732): avc:  denied  { execute } for  pid=8419 comm="sh" name="wpa_cli.sh" dev=loop5 ino=776462 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:etc_t tclass=file
Sep 10 00:04:14 alon1 audit(1189371854.665:1733): avc:  denied  { execute_no_trans } for  pid=8419 comm="sh" name="wpa_cli.sh" dev=loop5 ino=776462 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:etc_t tclass=file
Sep 10 00:04:14 alon1 audit(1189371854.665:1734): avc:  denied  { read } for  pid=8421 comm="net.eth0" name="softlevel" dev=tmpfs ino=12864 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:initrc_state_t tclass=file
Sep 10 00:04:14 alon1 audit(1189371854.665:1735): avc:  denied  { getattr } for  pid=8421 comm="net.eth0" name="softlevel" dev=tmpfs ino=12864 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:initrc_state_t tclass=file

Comment 4 Chris PeBenito (RETIRED) gentoo-dev

2009-12-16 14:40:14 UTC

closing stale bugs.  please reopen if there is still a problem with current policy.