Hello!
After some experiments it was somewhat clear for me that this must
be a SELinux or policy 'problem'. The problem is, that the things
are set up during boot time and I did not receive any hint what
was going on.
Therefore I disabled the 'virtio_net' module during boot, set
the system to enforcing an loaded the module manually:
# run_init modprobe virtio_net
I got this AVC
type=USER_AVC msg=audit(1407598899.576:95): pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start }
for auid=-1 uid=0 gid=0 path="/lib/systemd/system/[email protected]"
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service
exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
created policy file from it, rebooted, modprobe again and another AVC:
type=USER_AVC msg=audit(1407599868.756:93): pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status }
for auid=-1 uid=0 gid=0 path="/lib/systemd/system/[email protected]"
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service
exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
This was all I got - no more AVCs. For me the resulting policy file is:
# cat local-network-hotplug.te
policy_module(localnetworkhotplug, 1.0.1)
gen_require(`
type udev_t;
type systemd_unit_file_t;
')
allow udev_t systemd_unit_file_t:service { start status };
After loading this policy, re-enabling the module during boot, the eth0
interface was brought up directly during boot. Adding this rule solves
the problem for me.
=== Start Assumptions
In refpolicy-2.20140421/policy/modules/system/systemd.te I found:
allow init_t systemd_unit_file_t:service { stop start status };
in the Debian patch to the ref-policy. IMHO not only init but also
udev should be able to start / stop / status a service like ifup
(especially for hotplug).
root@debselinux01:~# ls -Z /lib/systemd/system/ifup\@.service
system_u:object_r:systemd_unit_file_t:SystemLow
/lib/systemd/system/[email protected]
=== End Assumptions
Kind regards
Andre
root@debselinux01:~# dpkg -l | grep systemd
ii libpam-systemd:amd64 208-6 amd64
system and service manager - PAM module
ii libsystemd-daemon0:amd64 208-6 amd64
systemd utility library
ii libsystemd-journal0:amd64 208-6 amd64
systemd journal utility library
ii libsystemd-login0:amd64 208-6 amd64
systemd login utility library
ii systemd 208-6 amd64
system and service manager
ii systemd-sysv 208-6 amd64
system and service manager - SysV links
root@debselinux01:~# dpkg -l | grep udev
ii libudev1:amd64 208-6 amd64
libudev shared library
ii udev 208-6 amd64
/dev/ and hotplug management daemon
root@debselinux01:~# dpkg -l | grep selinux
ii libselinux1:amd64 2.3-1 amd64
SELinux runtime shared libraries
ii python-selinux 2.3-1 amd64
Python bindings to SELinux shared libraries
ii selinux-basics 0.5.2 all
SELinux basic support
ii selinux-policy-default 2:2.20140421-4 all
Strict and Targeted variants of the SELinux policy
ii selinux-policy-dev 2:2.20140421-4 all
Headers from the SELinux reference policy for building modules
ii selinux-utils 2.3-1 amd64
SELinux utility programs
_______________________________________________
SELinux-devel mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
