Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Cannot start network service with selinux
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
copapa
n00b
n00b


Joined: 14 Nov 2014
Posts: 7

PostPosted: Wed Dec 03, 2014 3:15 pm    Post subject: Cannot start network service with selinux Reply with quote

Hi everyone.

I managed to install my gentoo box with grSecurity and Pax. Now I am trying to install selinux. Until now, everything seemed ok but now I am stuck trying to manage my network interface.

Code:
# id -Z
root:sysadm_r:sysadm_t
# getenforce
Enforcing
# /etc/init.d/net.enp2s0 start
Authenticating root.
Password:
 * Bringing up interface enp2s0
 *   dhcp ...
 *     Running udhcpc ...
udhcpc: socket(AF_INET,3,255): Permission denied
 *     start-stop-daemon: failed to start `/bin/busybox'
 * ERROR: net.enp2s0 failed to start


This pastebin http://pastebin.com/TPRyAJZf contains the content of /var/log/audit/audit.log after cleaning the logfile and trying to start the interface (and going permissive then starting the network so that I could retrieve the logfile).

Code:
ls -lZ /etc/init.d/net*
lrwxrwxrwx. 1 root root system_u:object_r:etc_t             6 Nov 26 15:57 /etc/init.d/net.enp2s0 -> net.lo
-rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 17415 Nov 25 20:04 /etc/init.d/net.lo
-rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t  1583 Nov 28 16:12 /etc/init.d/netmount


This etc_t seems weird to me but matchpathcon tells me this is the default context of this file.

Code:
# grep -v "^#" /etc/selinux/config
SELINUX=enforcing
SELINUXTYPE=strict


What am I misunderstanding ?
Back to top
View user's profile Send private message
N8Fear
Tux's lil' helper
Tux's lil' helper


Joined: 15 Apr 2013
Posts: 140
Location: Berlin (Germany)

PostPosted: Thu Dec 04, 2014 12:22 pm    Post subject: Reply with quote

From the logs I gather that you use udhcpc from busybox. This simply isn't supported by the default policy (it doesn't label the symlink you likely have correctly). If you take a look at the policy (sysnetwork.fc):
Code:

/sbin/dhclient.* -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
/sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)

you can see that it must be labeled as system_u:object_r:dhcpc_exec_t. If you change it accordingly I guess it will make the correct domain transitions and run. If it works you should add it to a local patch to the policy, include that filecontext via semanage or even consider upstreaming the change so that others that come after you won't have the same troubles.
(The only thing that I'm not sure of, if symlinks can have other contexts than their target: if not you're likely better off by just installing one of the supported dhcp clients.

Edit: you should likely also run rlpkg again (to generally restore the correct contexts on your box).
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum