Bug 1554390
Summary: | SELinux is preventing dnsmasq from using the 'dac_override' capabilities. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | sedrubal <fedora> |
Component: | dnsmasq | Assignee: | Petr Menšík <pemensik> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 28 | CC: | alanh, awilliam, code, dougsland, dwalsh, Gecko8211, itamar, jadahl, jan.vesely, jima, jorti, laine, lvrabec, machv, mastaizawfm, mgrepl, p, pemensik, plautrba, pmoore, self, thozza, veillard |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:3e41dc4d6900af7eae978f5b9fbd671c1217c6973a6fd9d2d1484e7507338397; | ||
Fixed In Version: | dnsmasq-2.79-3.fc28 dnsmasq-2.79-3.fc27 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-07-05 18:38:07 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
sedrubal
2018-03-12 15:22:51 UTC
Hi, It looks like some dnsqmasq file has too tight permissions, could you please look on it? For more info see: https://danwalsh.livejournal.com/34903.html Thanks, Lukas. Is it know what path violated the rule? Dnsmasq still uses root rights for writing leases into /var/lib/dnsmasq. Is that the problem? I can not reliable reproduce this denial and after hours of debugging I still don't understand SELinux. /var/lib/dnsmasq/dnsmasq.leases is: -rw-r--r-- root root system_u:object_r:dnsmasq_lease_t:s0 There are some dnsmasq processes running as root and some as dnsmasq. Everything works as expected but sometimes this nasty seapplet pops up... If you can't reproduce, you can close this issue. Is this the same issue as one that ends up with dnsmasq being unable to open or create /var/lib/dnsmasq/dnsmasq.leases? What I see in my journal is audit[389]: AVC avc: denied { dac_override } for pid=389 comm="dnsmasq" capability=1 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:system_r:dnsmasq_t:s0 tclass=capability ... dnsmasq[389]: cannot open or create lease file /var/lib/dnsmasq/dnsmasq.leases: Permission denied If so, my reproduction steps are: 1. Open nm-connection-editor 2. Add a new ethernet connection 3. Select "share to other computers" in both IPv4 and IPv6. 4. Select the new ethernet connection Doing so will trigger this error. Doing "setenforce 0" enables dnsmasq to start again. This denial appears to be preventing dnsmasq.service from starting at all in F28, the way we try to use it in openQA tests: May 03 13:32:46 support.domain.local systemd[1]: Started DNS caching server.. May 03 13:32:46 support.domain.local audit[927]: AVC avc: denied { dac_override } for pid=927 comm="dnsmasq" capability=1 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:system_r:dnsmasq_t:s0 tclass=capability permissive=0 May 03 13:32:46 support.domain.local dnsmasq[927]: dnsmasq: cannot open or create lease file /var/lib/dnsmasq/dnsmasq.leases: Permission denied May 03 13:32:46 support.domain.local dnsmasq[927]: cannot open or create lease file /var/lib/dnsmasq/dnsmasq.leases: Permission denied May 03 13:32:46 support.domain.local dnsmasq[927]: FAILED to start up May 03 13:32:46 support.domain.local systemd[1]: dnsmasq.service: Main process exited, code=exited, status=3/NOTIMPLEMENTED May 03 13:32:46 support.domain.local systemd[1]: dnsmasq.service: Failed with result 'exit-code'. The way we're using it is basically to create a config file like this: domain=domain.local dhcp-range=10.0.2.112,10.0.2.199 dhcp-option=option:router,10.0.2.2 and then start dnsmasq.service. This seems to be failing reliably on F28. Version-Release number of selected component: selinux-policy-3.14.1-24.fc28.noarch Additional info: reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.16.8-300.fc28.x86_64 type: libreport (In reply to Mach from comment #6) > Version-Release number of selected component: > selinux-policy-3.14.1-24.fc28.noarch > > Additional info: > reporter: libreport-2.9.5 > hashmarkername: setroubleshoot > kernel: 4.16.8-300.fc28.x86_64 > type: libreport 我是在创建WiFi热点时,发生的这个错误。我使用Fedora28-MATE。 按报告中的提示的操作后,可以正常使用 WiFi热点 功能。 # ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq # semodule -X 300 -i my-dnsmasq.pp (In reply to Mach from comment #7) > (In reply to Mach from comment #6) > > Version-Release number of selected component: > > selinux-policy-3.14.1-24.fc28.noarch > > > > Additional info: > > reporter: libreport-2.9.5 > > hashmarkername: setroubleshoot > > kernel: 4.16.8-300.fc28.x86_64 > > type: libreport > when I created the WiFi hotspot, the mistake that happened. I use Fedora28-MATE. According to the prompt in the report, WiFi hotspots can be used normally. # ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq # semodule -X 300 -i my-dnsmasq.pp dac_override failure means that file/directory permissions (rwx) are being enforced against the root user. This seems to be new in F28. The dnsmasq.leases file is owned by root and writable by it so that's not a problem. I think the issue is the parent directory: # ls -ld /var/lib/dnsmasq drwxr-xr-x. 2 dnsmasq dnsmasq 4096 Mar 22 10:35 /var/lib/dnsmasq/ If it's trying to rename and rewrite the file this will fail because root does not have write permissions on the directory. It was broken by commit [1]. Aparently dnsmasq never writes into that directory as dnsmasq user, but leases are written always from forked helper running under root. We missed that fact before. Because libvirt expects dhcp-script is running under root, that part still has to run under root. Separate drop of capabilities and setuid would be nice also for helper process. But it might break different configurations, postponing later. [1] https://src.fedoraproject.org/rpms/dnsmasq/c/c81a33501e0271ed3f83a46215f4f0b702c0f1b8?branch=master dnsmasq-2.79-3.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-31974dc1e0 dnsmasq-2.79-3.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-b287866a1f *** Bug 1585480 has been marked as a duplicate of this bug. *** dnsmasq-2.79-3.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-31974dc1e0 dnsmasq-2.79-3.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-b287866a1f dnsmasq-2.79-3.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. dnsmasq-2.79-3.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. Description of problem: network manager starting eth interface Version-Release number of selected component: selinux-policy-3.14.1-40.fc28.noarch Additional info: reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.17.19-200.fc28.x86_64 type: libreport |