Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 530898 - net-misc/dhcpcd-6.6.2 on selinux -9999 policies
Summary: net-misc/dhcpcd-6.6.2 on selinux -9999 policies
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Sven Vermeulen (RETIRED)
URL:
Whiteboard: sec-policy r1
Keywords:
Depends on:
Blocks:
 
Reported: 2014-11-27 18:47 UTC by Amadeusz Sławiński
Modified: 2014-12-21 14:14 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Amadeusz Sławiński 2014-11-27 18:47:34 UTC
dhcp policies need small fixes:

on /etc/init.d/dhcpcd restart following appears:
libudev: udev_monitor_new_from_netlink_fd: error getting socket: Permission denied

Nov 27 19:23:44 maelstrom kernel: [ 8895.022518] audit: type=1400 audit(1417112624.029:218): avc:  denied  { create } for  pid=4109 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_kobject_uevent_socket permissive=0

==

After adding allow dhcpc_t self:netlink_kobject_uevent_socket create;

on /etc/init.d/dhcpcd restart following appears:
libudev: udev_monitor_enable_receiving: bind failed: Permission denied

Nov 27 19:32:43 maelstrom kernel: [ 9434.841888] audit: type=1400 audit(1417113163.725:269): avc:  denied  { setopt } for  pid=4348 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_kobject_uevent_socket permissive=0
Nov 27 19:32:43 maelstrom kernel: [ 9434.841915] audit: type=1400 audit(1417113163.726:270): avc:  denied  { bind } for  pid=4348 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_kobject_uevent_socket permissive=0
Nov 27 19:32:43 maelstrom kernel: [ 9434.842459] audit: type=1400 audit(1417113163.726:271): avc:  denied  { create } for  pid=4348 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_socket permissive=0

==

After adding allow dhcpc_t self:netlink_kobject_uevent_socket bind;

on /etc/init.d/dhcpcd restart following appears:
libudev: udev_monitor_enable_receiving: setting SO_PASSCRED failed: Permission denied

Nov 27 19:34:26 maelstrom kernel: [ 9538.127677] audit: type=1400 audit(1417113266.988:321): avc:  denied  { setopt } for  pid=4540 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_kobject_uevent_socket permissive=0
Nov 27 19:34:26 maelstrom kernel: [ 9538.127697] audit: type=1400 audit(1417113266.988:322): avc:  denied  { getattr } for  pid=4540 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_kobject_uevent_socket permissive=0
Nov 27 19:34:26 maelstrom kernel: [ 9538.127707] audit: type=1400 audit(1417113266.988:323): avc:  denied  { setopt } for  pid=4540 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_kobject_uevent_socket permissive=0
Nov 27 19:34:26 maelstrom kernel: [ 9538.128791] audit: type=1400 audit(1417113266.989:324): avc:  denied  { create } for  pid=4540 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_socket permissive=0
Nov 27 19:34:26 maelstrom kernel: [ 9538.129074] audit: type=1400 audit(1417113266.989:325): avc:  denied  { create } for  pid=4540 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_socket permissive=0
Nov 27 19:34:26 maelstrom kernel: [ 9538.129412] audit: type=1400 audit(1417113266.990:326): avc:  denied  { create } for  pid=4540 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_socket permissive=0

==

After adding allow dhcpc_t self:netlink_kobject_uevent_socket setopt;

on /etc/init.d/dhcpcd restart following appears:
dhcpcd starts without warnings with those denials still present:

Nov 27 19:40:08 maelstrom kernel: [ 9879.492109] audit: type=1400 audit(1417113608.275:483): avc:  denied  { getattr } for  pid=5173 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_kobject_uevent_socket permissive=0
Nov 27 19:40:08 maelstrom kernel: [ 9879.493472] audit: type=1400 audit(1417113608.276:484): avc:  denied  { create } for  pid=5173 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_socket permissive=0
Nov 27 19:40:08 maelstrom kernel: [ 9879.493668] audit: type=1400 audit(1417113608.276:485): avc:  denied  { create } for  pid=5173 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_socket permissive=0
Nov 27 19:40:08 maelstrom kernel: [ 9879.493905] audit: type=1400 audit(1417113608.277:486): avc:  denied  { create } for  pid=5173 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_socket permissive=0
Nov 27 19:40:08 maelstrom kernel: [ 9879.505808] audit: type=1400 audit(1417113608.288:487): avc:  denied  { getattr } for  pid=5174 comm="dhcpcd-run-hook" path="/etc/ntp.conf" dev="dm-0" ino=23893054 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:ntp_conf_t tclass=file permissive=0
Nov 27 19:40:08 maelstrom kernel: [ 9879.515619] audit: type=1400 audit(1417113608.298:488): avc:  denied  { use } for  pid=5176 comm="resolvconf" path="/dev/pts/2" dev="devpts" ino=5 scontext=system_u:system_r:resolvconf_t tcontext=staff_u:staff_r:staff_sudo_t tclass=fd permissive=0


Reproducible: Always
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2014-11-28 09:39:10 UTC
ACK on the netlink_kobject_uevent_socket stuff.

Regarding the netlink_socket calls, I believe those are needed as a fall-back case. Considering the use case of dhcpcd (interacting with network subsystem) I'm inclined to allow it to create and interact with the netlink_socket as well.
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2014-11-28 09:41:29 UTC
Is in repo, will be part of rev 8
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2014-12-21 14:14:59 UTC
r1 is now stable