# Cannot start network service with selinux

## copapa

Hi everyone.

I managed to install my gentoo box with grSecurity and Pax. Now I am trying to install selinux. Until now, everything seemed ok but now I am stuck trying to manage my network interface.

```
# id -Z

root:sysadm_r:sysadm_t

# getenforce

Enforcing

# /etc/init.d/net.enp2s0 start

Authenticating root.

Password:

 * Bringing up interface enp2s0

 *   dhcp ...

 *     Running udhcpc ...

udhcpc: socket(AF_INET,3,255): Permission denied

 *     start-stop-daemon: failed to start `/bin/busybox'

 * ERROR: net.enp2s0 failed to start

```

This pastebin http://pastebin.com/TPRyAJZf contains the content of /var/log/audit/audit.log after cleaning the logfile and trying to start the interface (and going permissive then starting the network so that I could retrieve the logfile).

```
ls -lZ /etc/init.d/net*

lrwxrwxrwx. 1 root root system_u:object_r:etc_t             6 Nov 26 15:57 /etc/init.d/net.enp2s0 -> net.lo

-rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 17415 Nov 25 20:04 /etc/init.d/net.lo

-rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t  1583 Nov 28 16:12 /etc/init.d/netmount
```

This etc_t seems weird to me but matchpathcon tells me this is the default context of this file.

```
# grep -v "^#" /etc/selinux/config

SELINUX=enforcing

SELINUXTYPE=strict
```

What am I misunderstanding ?

----------

## N8Fear

From the logs I gather that you use udhcpc from busybox. This simply isn't supported by the default policy (it doesn't label the symlink you likely have correctly). If you take a look at the policy (sysnetwork.fc):

```

/sbin/dhclient.* -- gen_context(system_u:object_r:dhcpc_exec_t,s0)

/sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)

/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)

```

you can see that it must be labeled as system_u:object_r:dhcpc_exec_t. If you change it accordingly I guess it will make the correct domain transitions and run. If it works you should add it to a local patch to the policy, include that filecontext via semanage or even consider upstreaming the change so that others that come after you won't have the same troubles.

(The only thing that I'm not sure of, if symlinks can have other contexts than their target: if not you're likely better off by just installing one of the supported dhcp clients.

Edit: you should likely also run rlpkg  again (to generally restore the correct contexts  on your box).

----------

