Bug 1301854

Summary: dhcpd selinux policy doesn't handle on-commit scripts
Product: Red Hat Enterprise Linux 7 Reporter: Sten Spans <sspans>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Eva Mrakova <emrakova>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.2CC: emrakova, jpopelka, lvrabec, mgrepl, mmalik, plautrba, psimerda, pvrabec, ssekidde, sspans, thozza
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-82.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1330976 1349044 (view as bug list) Environment:
Last Closed: 2016-11-04 02:41:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1330976, 1349044    

Description Sten Spans 2016-01-26 07:42:22 UTC 
Description of problem:

The Selinux policy for dhcpd doesn't support on commit scripts.
For more details on on-commit scripts see:

http://jpmens.net/2011/07/06/execute-a-script-when-isc-dhcp-hands-out-a-new-lease/


Version-Release number of selected component (if applicable):

dhcp-4.2.5-42.el7


How reproducible:


Steps to Reproduce:
1. Enable an on-commit script
2. check the audit log
3. there is no step 3

Actual results:

type=AVC msg=audit(1453792866.181:11697): avc:  denied  { execute } for  pid=3174 comm="dhcpd" name="myscript" dev="dm-0" ino=147660 scontext=system_u:system_r:dhcpd_t:s0 tcontext=unconfined_u:object_r:dhcp_etc_t:s0 tclass=file

Expected results:
A valid selinux file context for on commit scripts which allows execution, documented in dhcpd_selinux (8)

Additional info:

The samba reference policy provides a good example of what would be needed for dhcpd.

optional_policy(`
    type samba_unconfined_script_t;
    type samba_unconfined_script_exec_t;
    domain_type(samba_unconfined_script_t)
    domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t)
    corecmd_shell_entry_type(samba_unconfined_script_t)
    role system_r types samba_unconfined_script_t;

    allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
    allow smbd_t samba_unconfined_script_exec_t:file ioctl;

    unconfined_domain(samba_unconfined_script_t)

    tunable_policy(`samba_run_unconfined',`
        domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
    ',`
        can_exec(smbd_t, samba_unconfined_script_exec_t)
    ')
')
Comment 2 Milos Malik 2016-01-26 08:44:59 UTC 
What is the usual location for such scripts?
Comment 3 Sten Spans 2016-01-26 09:51:24 UTC 
There doesn't seem to be a default location, a subdir below /etc/dhcp would make sense I guess. I've opted for '/etc/dhcp/scripts' but am happy to change to a better option.
Comment 4 Miroslav Grepl 2016-02-12 06:25:47 UTC 
Let's ask Jiri.
Comment 5 Jiri Popelka 2016-02-12 14:14:57 UTC 
+1 to something below /etc/dhcp/

We already have /etc/dhcp/dhclient.d/ for dhclient-related scripts, so my first thought was /etc/dhcp/dhcpd.d/
But then I realized that the execute() statement can be used not only with dhcpd but with dhclient as well, because the RELNOTES says:
"This permits dhcpd or dhclient to execute a named external program
 with command line arguments specified from other configuration language."

Also as dhclient-script(8) says the additional dhclient-{enter/exit/up/down}-hooks scripts that further extend dhclient-script's functionality should be placed into /etc/dhcp/

So maybe just the /etc/dhcp/ without any additional subdirectory ?
Comment 6 Miroslav Grepl 2016-02-25 16:03:44 UTC 
Scripts should be labeled as bin_t located in /etc/dhcp.

Sten,
did you get AVCs for your case?
Comment 7 Sten Spans 2016-02-26 07:48:17 UTC 
The AVC I got is shown in my initial report:

type=AVC msg=audit(1453792866.181:11697): avc:  denied  { execute } for  pid=3174 comm="dhcpd" name="myscript" dev="dm-0" ino=147660 scontext=system_u:system_r:dhcpd_t:s0 tcontext=unconfined_u:object_r:dhcp_etc_t:s0 tclass=file


However this does show that the file is labelled as dhcp_etc_t, which is the default for /etc/dhcp. When I change the context to bin_t the on-commit script indeed works.

> chcon -t bin_t /etc/dhcp/myscript.py
> ls -aZ /etc/dhcp/myscript.py
-rwxr-xr-x. root root unconfined_u:object_r:bin_t:s0   /etc/dhcp/myscript.py


Is this recommended type for dhcp script documented somewhere? Should it be?
Comment 8 Miroslav Grepl 2016-03-14 07:41:02 UTC 
OK, O overlooked. 

The problem is /etc/dhcp is a directory for config files. It would be great to have subdir for these scripts.

We can define a generic labeling for /etc/dhcp to have bin_t as a default label and have more specific labels for config files. But I don't see it as a good solution.
Comment 9 Jiri Popelka 2016-03-14 11:11:41 UTC 
Then either '/etc/dhcp/scripts' (per comment #3) or '/etc/dhcp/on-commit-scripts'. Sten, which one do you like more ?
Comment 10 Sten Spans 2016-03-15 10:18:25 UTC 
/etc/dhcp/scripts would make the most sense. 

Running scripts is possible for expiry and release as well, so hard-coding "commit" in the directory name doesn't really seem logical.

https://deepthought.isc.org/article/AA-01094/0/Adding-support-for-on-commit-on-expire-and-on-release-statements-in-DHCPv6.html
Comment 11 Miroslav Grepl 2016-04-28 14:10:36 UTC 
(In reply to Sten Spans from comment #10)
> /etc/dhcp/scripts would make the most sense. 
> 
> Running scripts is possible for expiry and release as well, so hard-coding
> "commit" in the directory name doesn't really seem logical.
> 
> https://deepthought.isc.org/article/AA-01094/0/Adding-support-for-on-commit-
> on-expire-and-on-release-statements-in-DHCPv6.html

Ok do you need a bug?
Comment 12 Lukas Vrabec 2016-06-22 11:07:13 UTC 
I'll add bin_t label for /etc/dhcp/scripts. 

Jiri, what is state of this issue from your side? 

Thank you.
Comment 13 Tomáš Hozza 2016-06-22 11:27:29 UTC 
Pavel Simerda is the new owner of DHCP component.
Comment 14 Jiri Popelka 2016-06-22 11:43:11 UTC 
(In reply to Lukas Vrabec from comment #12)
> I'll add bin_t label for /etc/dhcp/scripts. 

OK

> Jiri, what is state of this issue from your side? 

I haven't changed anything in dhcp.
Pavel, I think we should add the /etc/dhcp/scripts/ with just README saying that it's a directory for on-commit scripts.
Comment 15 Lukas Vrabec 2016-06-22 15:10:21 UTC 
I added label for it. From selinux-policy side is issue fixed.
Comment 19 errata-xmlrpc 2016-11-04 02:41:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html