[Clip] Applied CLIP to fresh RHEL 5.3; network won't start

Christopher J. PeBenito cpebenito at tresys.com
Thu Aug 6 16:42:18 CDT 2009 

On Thu, 2009-08-06 at 11:19 -0700, Eric Gearhart wrote:
> I know I'm spamming the list but maybe the results of this will help
> the project, or something
> 
> [root at kick-me ~]# cat /var/log/audit/audit.log | audit2allow
> allow cupsd_t self:process setfscreate;
> allow cupsd_t default_context_t:dir search;
> allow cupsd_t hosts_conf_t:file read;
> allow initrc_t network_conf_t:file read;
> allow initrc_t removable_device_t:blk_file read;
> allow local_login_t default_t:dir search;
> allow sendmail_t hosts_conf_t:file read;
> allow sendmail_t lo_node_t:tcp_socket node_bind;
> allow sendmail_t sysctl_t:file read;
> allow sshd_t default_t:dir search;
> allow sshd_t hosts_conf_t:file { getattr read };
> allow sshd_t local_login_t:key link;
> allow sshd_t sysadm_devpts_t:chr_file { getattr ioctl read relabelto
> setattr write };
> allow sshd_t sysadm_t:process { noatsecure rlimitinh siginh transition };
> allow sshd_t sysctl_t:file read;
> allow sysadm_su_t default_t:dir search;
> allow sysadm_t inaddr_any_node_t:tcp_socket node_bind;
> allow sysadm_t self:capability audit_write;
> allow sysadm_t self:netlink_audit_socket { create nlmsg_relay write };
> allow syslogd_t hosts_conf_t:file read;
> 
> That's an initial run of audit2allow... I'm new to SELinux (jeez I've
> learned a lot in the past couple of days about SELinux...), but I'm
> guessing seeing the output of audit2allow helps somewhat...
> 
> Also...
> ls -Z /etc/sysconfig/network
> -rw-r--r--  root root system_u:object_r:network_conf_t:s0 /etc/sysconfig/network
> 
> Is network_conf_t the right context? On my other untouched RHEL box
> the context looks like this:
> -rw-r--r--  root root system_u:object_r:etc_t          /etc/sysconfig/network

No, network_conf_t is the expected label on /etc/sysconfig/network for a
CLIP system.  Can you send the actual audit log?  The raw messages have
additional info which can help us piece together whats happening.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

More information about the Clip mailing list