Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 602624

Summary: SELinux policy for dhcpc needs permissions to run resolvconf from scripts
Product: Gentoo Linux Reporter: Robert Sharp <bugzilla>
Component: SELinuxAssignee: Jason Zaman <perfinion>
Status: RESOLVED FIXED    
Severity: normal CC: selinux
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: sec-policy r4
Package list:
Runtime testing required: ---
Attachments: AVCs for resolvconf

Description Robert Sharp 2016-12-14 10:31:35 UTC 
Created attachment 456168 [details]
AVCs for resolvconf

The policy covering dhcp clients is defined in system/sysnetwork.te and covers the case were the client runs resolvconf (net-dns/openresolv) from within its own domain (dhcpc_t). However, it appears that net-misc/dhcpcd runs resolvconf from the dhcpc_script_t domain, which is not anticipated in the policy and as a result it does not transition to an accepted domain:

type=AVC msg=audit(1480827246.554:34865): avc:  denied  { open } for  pid=16908 comm="resolvconf" path="/proc/meminfo" dev="proc" ino=4026531989 scontext=system_u:system_r:resolvconf_t tcontext=system_u:object_r:proc_t tclass=file permissive=1


A list of the resolvconf AVCs generated is attached. Unfortunately, this does not include the AVCs from dhcpc direct, but hopefully it is enough.

The problem can be fixed by including the following in sysnetwork.te, which is already included for the dhcpc_t domain:

> optional_policy(`
>        resolvconf_client_domain(dhcpc_script_t)
>    ')

With this change, dhcpcd runs without raising any AVCs.
Comment 1 Jason Zaman gentoo-dev 2017-01-23 18:19:58 UTC 
in master now.
Comment 2 Jason Zaman gentoo-dev 2017-01-26 18:04:32 UTC 
-r4 is in ~arch
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2017-04-10 18:20:41 UTC 
The 2.20170204-r2 release is now stable (which includes the 2.20161023-r4 changes).