Bug 1718701

Summary: Policy blocks dhcpd from reading rndc.key
Product: [Fedora] Fedora Reporter: Michael Cronenworth <mike>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 30CC: dwalsh, lvrabec, mgrepl, plautrba, scott-fedora, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-39.fc30 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-20 02:54:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michael Cronenworth 2019-06-10 01:02:27 UTC 
Description of problem:
I upgraded from Fedora 29 to 30. After the upgrade dhcpd was not starting.

setroubleshoot[5744]: SELinux is preventing dhcpd from map access on the file /etc/rndc.key

# ls -lZ /etc/rndc.key 
-rw-r-----. 1 root named system_u:object_r:dnssec_t:s0 112 Jun  9 19:54 /etc/rndc.key


Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-37.fc30.noarch

How reproducible:
Always


Steps to Reproduce:
1. Install dhcp-server
2. Add a dynamic dns key (rndc key)
3. systemctl start dhcpd

Actual results:
Fails to start


Expected results:
DHCPd Starts

Additional info:
SELinux recommends to turn on the following bool:
setsebool -P domain_can_mmap_files 1

Setting this bool does allow dhcpd to start, but I don't think that is a proper fix.

The dhcpd versions between Fedora 29 and 30 are the same. It's the SELinux policy that has changed.
Comment 1 Lukas Vrabec 2019-06-10 16:00:13 UTC 
Hi, 

Could you please reproduce the scenario and then attach output of:

# ausearch -m AVC -ts recent 

Thanks,
Lukas.
Comment 2 Michael Cronenworth 2019-06-11 13:23:06 UTC 
# ausearch -m AVC -ts recent
----
time->Tue Jun 11 08:22:34 2019
type=AVC msg=audit(1560259354.598:1807): avc:  denied  { map } for  pid=18541 comm="dhcpd" path="/etc/rndc.key" dev="dm-0" ino=53871458 scontext=system_u:system_r:dhcpd_t:s0 tcontext=system_u:object_r:dnssec_t:s0 tclass=file permissive=0
Comment 3 Lukas Vrabec 2019-06-12 15:48:02 UTC 
commit e8298ee57267c9f3d4592b8feb76fc81fffbe155 (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Wed Jun 12 17:47:41 2019 +0200

    Allow dhcpd_t domain to mmap dnssec_t files BZ(1718701)
Comment 4 Fedora Update System 2019-06-18 11:32:04 UTC 
FEDORA-2019-9da5c35472 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-9da5c35472
Comment 5 Fedora Update System 2019-06-19 01:02:57 UTC 
selinux-policy-3.14.3-39.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-9da5c35472
Comment 6 Fedora Update System 2019-06-20 02:54:48 UTC 
selinux-policy-3.14.3-39.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.