Bug#503941: selinux-policy-default: initrc_exec_t file contexts for network hook scripts under /etc

Wed, 29 Oct 2008 08:00:25 -0700 

Package: selinux-policy-default
Version: 2:0.0.20080702-14
Severity: normal

Hi,
the problem covers probably the bug #503565. There are a number of
directories for hook scripts under /etc...

A particular problem with interface up/down hook scripts for me now:

[   14.448865] type=1400 audit(1225289272.885:6): avc:  denied  { search
} for  pid=1596 comm="rndc" name="bind" dev=hda2 ino=135055
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:named_zone_t:s0 tclass=dir

Reason:

1) I have a stanza in the /etc/network/interfaces:

    allow-hotplug eth0
    iface eth0 inet dhcp

   So the interface eth0 is brought up by udev (not by
   /etc/init.d/ifupdown) through udev script:

        system_u:object_r:bin_t:s0 /lib/udev/net.agent

    using:

        system_u:object_r:bin_t:s0 /sbin/ifdown
        system_u:object_r:bin_t:s0 /sbin/ifup

2) I have installed the package bind9, witch has hook scripts

        system_u:object_r:etc_t:s0 /etc/network/if-down.d/bind9
        system_u:object_r:etc_t:s0 /etc/network/if-up.d/bind9

So, no transition is done while executing rndc by udevd.
I already wrote about this problem here:
http://lists.alioth.debian.org/pipermail/selinux-devel/2008-September/000153.html

Besides /etc/network/if-down.d  /etc/network/if-post-down.d
/etc/network/if-pre-up.d  /etc/network/if-up.d
there are other directories for hook scripts:

/etc/dhcp3/dhclient-exit-hooks.d
/etc/dhcp3/dhclient-enter-hooks.d
...

Files under these directories should obtain the type
initrc_exec_t.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules                1.0.1-4    Pluggable Authentication Modules f
ii  libselinux1                   2.0.65-5   SELinux shared libraries
ii  libsepol1                     2.0.30-2   Security Enhanced Linux policy lib
ii  policycoreutils               2.0.49-6   SELinux core policy utilities
ii  python                        2.5.2-2    An interactive high-level object-o

Versions of packages selinux-policy-default recommends:
ii  checkpolicy                   2.0.16-2   SELinux policy compiler
ii  setools                       3.3.5.ds-5 tools for Security Enhanced Linux 

Versions of packages selinux-policy-default suggests:
pn  logcheck                      <none>     (no description available)
pn  syslog-summary                <none>     (no description available)

-- no debconf information



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to