Bug 1554390
| Summary: | SELinux is preventing dnsmasq from using the 'dac_override' capabilities. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | sedrubal <fedora> |
| Component: | dnsmasq | Assignee: | Petr Menšík <pemensik> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 28 | CC: | alanh, awilliam, code, dougsland, dwalsh, Gecko8211, itamar, jadahl, jan.vesely, jima, jorti, laine, lvrabec, machv, mastaizawfm, mgrepl, p, pemensik, plautrba, pmoore, self, thozza, veillard |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:3e41dc4d6900af7eae978f5b9fbd671c1217c6973a6fd9d2d1484e7507338397; | ||
| Fixed In Version: | dnsmasq-2.79-3.fc28 dnsmasq-2.79-3.fc27 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-07-05 18:38:07 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Hi, It looks like some dnsqmasq file has too tight permissions, could you please look on it? For more info see: https://danwalsh.livejournal.com/34903.html Thanks, Lukas. Is it know what path violated the rule? Dnsmasq still uses root rights for writing leases into /var/lib/dnsmasq. Is that the problem? I can not reliable reproduce this denial and after hours of debugging I still don't understand SELinux. /var/lib/dnsmasq/dnsmasq.leases is: -rw-r--r-- root root system_u:object_r:dnsmasq_lease_t:s0 There are some dnsmasq processes running as root and some as dnsmasq. Everything works as expected but sometimes this nasty seapplet pops up... If you can't reproduce, you can close this issue. Is this the same issue as one that ends up with dnsmasq being unable to open or create /var/lib/dnsmasq/dnsmasq.leases? What I see in my journal is
audit[389]: AVC avc: denied { dac_override } for pid=389 comm="dnsmasq" capability=1 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:system_r:dnsmasq_t:s0 tclass=capability ...
dnsmasq[389]: cannot open or create lease file /var/lib/dnsmasq/dnsmasq.leases: Permission denied
If so, my reproduction steps are:
1. Open nm-connection-editor
2. Add a new ethernet connection
3. Select "share to other computers" in both IPv4 and IPv6.
4. Select the new ethernet connection
Doing so will trigger this error. Doing "setenforce 0" enables dnsmasq to start again.
This denial appears to be preventing dnsmasq.service from starting at all in F28, the way we try to use it in openQA tests:
May 03 13:32:46 support.domain.local systemd[1]: Started DNS caching server..
May 03 13:32:46 support.domain.local audit[927]: AVC avc: denied { dac_override } for pid=927 comm="dnsmasq" capability=1 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:system_r:dnsmasq_t:s0 tclass=capability permissive=0
May 03 13:32:46 support.domain.local dnsmasq[927]: dnsmasq: cannot open or create lease file /var/lib/dnsmasq/dnsmasq.leases: Permission denied
May 03 13:32:46 support.domain.local dnsmasq[927]: cannot open or create lease file /var/lib/dnsmasq/dnsmasq.leases: Permission denied
May 03 13:32:46 support.domain.local dnsmasq[927]: FAILED to start up
May 03 13:32:46 support.domain.local systemd[1]: dnsmasq.service: Main process exited, code=exited, status=3/NOTIMPLEMENTED
May 03 13:32:46 support.domain.local systemd[1]: dnsmasq.service: Failed with result 'exit-code'.
The way we're using it is basically to create a config file like this:
domain=domain.local
dhcp-range=10.0.2.112,10.0.2.199
dhcp-option=option:router,10.0.2.2
and then start dnsmasq.service. This seems to be failing reliably on F28.
Version-Release number of selected component: selinux-policy-3.14.1-24.fc28.noarch Additional info: reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.16.8-300.fc28.x86_64 type: libreport (In reply to Mach from comment #6) > Version-Release number of selected component: > selinux-policy-3.14.1-24.fc28.noarch > > Additional info: > reporter: libreport-2.9.5 > hashmarkername: setroubleshoot > kernel: 4.16.8-300.fc28.x86_64 > type: libreport 我是在创建WiFi热点时,发生的这个错误。我使用Fedora28-MATE。 按报告中的提示的操作后,可以正常使用 WiFi热点 功能。 # ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq # semodule -X 300 -i my-dnsmasq.pp (In reply to Mach from comment #7) > (In reply to Mach from comment #6) > > Version-Release number of selected component: > > selinux-policy-3.14.1-24.fc28.noarch > > > > Additional info: > > reporter: libreport-2.9.5 > > hashmarkername: setroubleshoot > > kernel: 4.16.8-300.fc28.x86_64 > > type: libreport > when I created the WiFi hotspot, the mistake that happened. I use Fedora28-MATE. According to the prompt in the report, WiFi hotspots can be used normally. # ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq # semodule -X 300 -i my-dnsmasq.pp dac_override failure means that file/directory permissions (rwx) are being enforced against the root user. This seems to be new in F28. The dnsmasq.leases file is owned by root and writable by it so that's not a problem. I think the issue is the parent directory: # ls -ld /var/lib/dnsmasq drwxr-xr-x. 2 dnsmasq dnsmasq 4096 Mar 22 10:35 /var/lib/dnsmasq/ If it's trying to rename and rewrite the file this will fail because root does not have write permissions on the directory. It was broken by commit [1]. Aparently dnsmasq never writes into that directory as dnsmasq user, but leases are written always from forked helper running under root. We missed that fact before. Because libvirt expects dhcp-script is running under root, that part still has to run under root. Separate drop of capabilities and setuid would be nice also for helper process. But it might break different configurations, postponing later. [1] https://src.fedoraproject.org/rpms/dnsmasq/c/c81a33501e0271ed3f83a46215f4f0b702c0f1b8?branch=master dnsmasq-2.79-3.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-31974dc1e0 dnsmasq-2.79-3.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-b287866a1f *** Bug 1585480 has been marked as a duplicate of this bug. *** dnsmasq-2.79-3.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-31974dc1e0 dnsmasq-2.79-3.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-b287866a1f dnsmasq-2.79-3.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. dnsmasq-2.79-3.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. Description of problem: network manager starting eth interface Version-Release number of selected component: selinux-policy-3.14.1-40.fc28.noarch Additional info: reporter: libreport-2.9.5 hashmarkername: setroubleshoot kernel: 4.17.19-200.fc28.x86_64 type: libreport |
Description of problem: Share a connection using network manager violates this se rule when a client tries to connect using dhcp SELinux is preventing dnsmasq from using the 'dac_override' capabilities. ***** Plugin dac_override (91.4 confidence) suggests ********************** If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system Then turn on full auditing to get path information about the offending file and generate the error again. Do Turn on full auditing # auditctl -w /etc/shadow -p w Try to recreate AVC. Then execute # ausearch -m avc -ts recent If you see PATH record check ownership/permissions on file, and fix it, otherwise report as a bugzilla. ***** Plugin catchall (9.59 confidence) suggests ************************** If you believe that dnsmasq should have the dac_override capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq # semodule -X 300 -i my-dnsmasq.pp Additional Information: Source Context system_u:system_r:dnsmasq_t:s0 Target Context system_u:system_r:dnsmasq_t:s0 Target Objects Unknown [ capability ] Source dnsmasq Source Path dnsmasq Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.1-10.fc28.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 4.16.0-0.rc3.git0.1.fc28.x86_64 #1 SMP Mon Feb 26 15:15:43 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-03-12 16:20:42 CET Last Seen 2018-03-12 16:21:09 CET Local ID 7d2fddc9-c33c-48fb-93a8-bdbf6fdd29b1 Raw Audit Messages type=AVC msg=audit(1520868069.54:1494): avc: denied { dac_override } for pid=28858 comm="dnsmasq" capability=1 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:system_r:dnsmasq_t:s0 tclass=capability permissive=1 Hash: dnsmasq,dnsmasq_t,dnsmasq_t,capability,dac_override Version-Release number of selected component: selinux-policy-3.14.1-10.fc28.noarch Additional info: component: selinux-policy reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.16.0-0.rc3.git0.1.fc28.x86_64 type: libreport