Hi,
There appears to be issues with SElinux and the firestarter package available from fedora-extras. I have attached the errors from /var/log/messages upon boot to this email. I suspect it may be related to either dhcpd or kernel module loading upon boot, but I'm rather clueless about SElinux. If someone could give me some pointers on how to proceed with debugging this it would be really appreciated. I have reported the bug here:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179248
This is with kernel 2.6.14-1.1656_FC4, libselinux-1.23.10-2, selinux-policy-targeted-1.27.1-2.16.
I realize that I have probably not given enough information to debug this, but I am not sure what else would be useful.
Many thanks, Jonathan
Jonathan Underwood wrote:
Hi,
There appears to be issues with SElinux and the firestarter package available from fedora-extras. I have attached the errors from /var/log/messages upon boot to this email. I suspect it may be related to either dhcpd or kernel module loading upon boot, but I'm rather clueless about SElinux. If someone could give me some pointers on how to proceed with debugging this it would be really appreciated. I have reported the bug here:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179248
This is with kernel 2.6.14-1.1656_FC4, libselinux-1.23.10-2, selinux-policy-targeted-1.27.1-2.16.
I realize that I have probably not given enough information to debug this, but I am not sure what else would be useful.
Many thanks, Jonathan
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Looks like the problem here is hooking the dhclient program. This causes the firestarter script to run in dhclient mode, and dhclient is not allowed to do modutil and iptables.
On 31/01/06, Daniel J Walsh dwalsh@redhat.com wrote:
Looks like the problem here is hooking the dhclient program. This causes the firestarter script to run in dhclient mode, and dhclient is not allowed to do modutil and iptables.
So what would be the correct approach to remedying this? Change to SElinux policy for dhclient? Request that firestarter change to not run in dhclient mode? Presumably the latter would require a new policy to be written for firestarter? TIA, Jonathan
Jonathan Underwood wrote:
On 31/01/06, Daniel J Walsh dwalsh@redhat.com wrote:
Looks like the problem here is hooking the dhclient program. This causes the firestarter script to run in dhclient mode, and dhclient is not allowed to do modutil and iptables.
So what would be the correct approach to remedying this? Change to SElinux policy for dhclient? Request that firestarter change to not run in dhclient mode?
That would be my preference.
Presumably the latter would require a new policy to be written for firestarter?
You could write a new policy for firestarter which dhclient could transition to. Giving these privs to dhclient would be very dangerous.
TIA, Jonathan
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org