Package: selinux-policy-default Version: 2:2.20110726-12 Severity: important
Dear Maintainer, after enableing SELinux the eth0 network device is not longer configured automatically during boot time. There is a similar bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=728950 but it differs in the command. Here it is 'dhclient' there the scripts. IMHO this is an 'important' bug, because systems using dhcp cannot switch to enforce - or they will not work properly any more. The eth0 device is configured as: allow-hotplug eth0 iface eth0 inet dhcp After booting with SELinux set to enforced the eth0 network interface is not configured. ifconfig shows only 'lo'. During boot, the following two AVCs are reported: Jul 31 12:55:55 debtest kernel: [ 4.489454] type=1400 audit(1406804155.296:5): avc: denied { name_bind } for pid=1677 comm="dhclient" src=1356 scontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket Jul 31 12:55:55 debtest kernel: [ 4.489641] type=1400 audit(1406804155.296:6): avc: denied { name_bind } for pid=1677 comm="dhclient" src=14762 scontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket When I use these both lines as input to 'audit2allow' and 'semodule $ audit2allow -M localdhclient $ semodule -i localdhclient.pp after booting, the interface comes up, but it looks that the further setup needs 'hostname' and 'ip': Jul 31 13:39:41 debtest kernel: [ 4.954371] type=1400 audit(1406806780.651:5): avc: denied { read write } for pid=1723 comm="ip" path="socket:[7251]" dev=sockfs ino=7251 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket Jul 31 13:39:41 debtest kernel: [ 4.954457] type=1400 audit(1406806780.651:6): avc: denied { read write } for pid=1723 comm="ip" path="socket:[7252]" dev=sockfs ino=7252 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket Jul 31 13:39:41 debtest kernel: [ 5.005695] type=1400 audit(1406806780.703:7): avc: denied { read write } for pid=1751 comm="hostname" path="socket:[7251]" dev=sockfs ino=7251 scontext=system_u:system_r:hostname_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket Jul 31 13:39:41 debtest kernel: [ 5.005781] type=1400 audit(1406806780.703:8): avc: denied { read write } for pid=1751 comm="hostname" path="socket:[7252]" dev=sockfs ino=7252 scontext=system_u:system_r:hostname_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket Jul 31 13:39:41 debtest kernel: [ 5.007904] type=1400 audit(1406806780.703:9): avc: denied { read write } for pid=1752 comm="ip" path="socket:[7251]" dev=sockfs ino=7251 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket Jul 31 13:39:41 debtest kernel: [ 5.007988] type=1400 audit(1406806780.703:10): avc: denied { read write } for pid=1752 comm="ip" path="socket:[7252]" dev=sockfs ino=7252 scontext=system_u:system_r:ifconfig_t:s0-s0:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=udp_socket After another 'autid2allow' and 'semodule' there are no further AVCs in the log after a reboot and the interface works fine. Kind regards Andre -- System Information: Debian Release: 7.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages selinux-policy-default depends on: ii libpam-modules 1.1.3-7.1 ii libselinux1 2.1.9-5 ii libsepol1 2.1.4-3 ii policycoreutils 2.1.10-9 ii python 2.7.3-4+deb7u1 Versions of packages selinux-policy-default recommends: ii checkpolicy 2.1.8-2 pn setools <none> Versions of packages selinux-policy-default suggests: pn logcheck <none> pn syslog-summary <none> -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
