dhcp policies need small fixes: on /etc/init.d/dhcpcd restart following appears: libudev: udev_monitor_new_from_netlink_fd: error getting socket: Permission denied Nov 27 19:23:44 maelstrom kernel: [ 8895.022518] audit: type=1400 audit(1417112624.029:218): avc: denied { create } for pid=4109 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_kobject_uevent_socket permissive=0 == After adding allow dhcpc_t self:netlink_kobject_uevent_socket create; on /etc/init.d/dhcpcd restart following appears: libudev: udev_monitor_enable_receiving: bind failed: Permission denied Nov 27 19:32:43 maelstrom kernel: [ 9434.841888] audit: type=1400 audit(1417113163.725:269): avc: denied { setopt } for pid=4348 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_kobject_uevent_socket permissive=0 Nov 27 19:32:43 maelstrom kernel: [ 9434.841915] audit: type=1400 audit(1417113163.726:270): avc: denied { bind } for pid=4348 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_kobject_uevent_socket permissive=0 Nov 27 19:32:43 maelstrom kernel: [ 9434.842459] audit: type=1400 audit(1417113163.726:271): avc: denied { create } for pid=4348 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_socket permissive=0 == After adding allow dhcpc_t self:netlink_kobject_uevent_socket bind; on /etc/init.d/dhcpcd restart following appears: libudev: udev_monitor_enable_receiving: setting SO_PASSCRED failed: Permission denied Nov 27 19:34:26 maelstrom kernel: [ 9538.127677] audit: type=1400 audit(1417113266.988:321): avc: denied { setopt } for pid=4540 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_kobject_uevent_socket permissive=0 Nov 27 19:34:26 maelstrom kernel: [ 9538.127697] audit: type=1400 audit(1417113266.988:322): avc: denied { getattr } for pid=4540 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_kobject_uevent_socket permissive=0 Nov 27 19:34:26 maelstrom kernel: [ 9538.127707] audit: type=1400 audit(1417113266.988:323): avc: denied { setopt } for pid=4540 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_kobject_uevent_socket permissive=0 Nov 27 19:34:26 maelstrom kernel: [ 9538.128791] audit: type=1400 audit(1417113266.989:324): avc: denied { create } for pid=4540 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_socket permissive=0 Nov 27 19:34:26 maelstrom kernel: [ 9538.129074] audit: type=1400 audit(1417113266.989:325): avc: denied { create } for pid=4540 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_socket permissive=0 Nov 27 19:34:26 maelstrom kernel: [ 9538.129412] audit: type=1400 audit(1417113266.990:326): avc: denied { create } for pid=4540 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_socket permissive=0 == After adding allow dhcpc_t self:netlink_kobject_uevent_socket setopt; on /etc/init.d/dhcpcd restart following appears: dhcpcd starts without warnings with those denials still present: Nov 27 19:40:08 maelstrom kernel: [ 9879.492109] audit: type=1400 audit(1417113608.275:483): avc: denied { getattr } for pid=5173 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_kobject_uevent_socket permissive=0 Nov 27 19:40:08 maelstrom kernel: [ 9879.493472] audit: type=1400 audit(1417113608.276:484): avc: denied { create } for pid=5173 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_socket permissive=0 Nov 27 19:40:08 maelstrom kernel: [ 9879.493668] audit: type=1400 audit(1417113608.276:485): avc: denied { create } for pid=5173 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_socket permissive=0 Nov 27 19:40:08 maelstrom kernel: [ 9879.493905] audit: type=1400 audit(1417113608.277:486): avc: denied { create } for pid=5173 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_socket permissive=0 Nov 27 19:40:08 maelstrom kernel: [ 9879.505808] audit: type=1400 audit(1417113608.288:487): avc: denied { getattr } for pid=5174 comm="dhcpcd-run-hook" path="/etc/ntp.conf" dev="dm-0" ino=23893054 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:ntp_conf_t tclass=file permissive=0 Nov 27 19:40:08 maelstrom kernel: [ 9879.515619] audit: type=1400 audit(1417113608.298:488): avc: denied { use } for pid=5176 comm="resolvconf" path="/dev/pts/2" dev="devpts" ino=5 scontext=system_u:system_r:resolvconf_t tcontext=staff_u:staff_r:staff_sudo_t tclass=fd permissive=0 Reproducible: Always
ACK on the netlink_kobject_uevent_socket stuff. Regarding the netlink_socket calls, I believe those are needed as a fall-back case. Considering the use case of dhcpcd (interacting with network subsystem) I'm inclined to allow it to create and interact with the netlink_socket as well.
Is in repo, will be part of rev 8
r1 is now stable