Bug 2059509

Summary: dhcpd cannot read /proc/sys/net/ipv4/ip_local_port_range
Product: Red Hat Enterprise Linux 8 Reporter: Renaud Métrich <rmetrich>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.5CC: lvrabec, mmalik, ssekidde
Target Milestone: rcKeywords: AutoVerified, Triaged
Target Release: 8.7Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-96.el8 Doc Type: Bug Fix
Doc Text:
Cause: The dhcpd service requires permissions to read local port range kernel tunable which is not present in current selinux-policy Consequence: dhcpd needs fails to read the ipv4.ip_local_port_range kernel tunable when the "update-static-leases on;" property is configured in /etc/dhcp/dhcpd.conf. Fix: Permissions were added to selinux-policy. Result: The dhcpd service runs without reporting errors.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-08 10:43:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Renaud Métrich 2022-03-01 08:51:35 UTC 
Description of problem:

dhcpd needs to be able to read /proc/sys/net/ipv4/ip_local_port_range when the following property is configured in /etc/dhcp/dhcpd.conf:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
update-static-leases on;
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

This is because dhcpd calls internally isc_net_getudpportrange() provided by bind's library:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
(gdb) bt
#0  0x00007fee75fe42f2 in __libc_open64 (file=0x7fee7749d8f8 "/proc/sys/net/ipv4/ip_local_port_range", oflag=0)
    at ../sysdeps/unix/sysv/linux/open64.c:48
#1  0x00007fee75f73c96 in __GI__IO_file_open (fp=fp@entry=0x5608a59252f0, filename=<optimized out>, 
    posix_mode=<optimized out>, prot=prot@entry=438, read_write=8, is32not64=is32not64@entry=1) at fileops.c:189
#2  0x00007fee75f73e4b in _IO_new_file_fopen (fp=fp@entry=0x5608a59252f0, 
    filename=filename@entry=0x7fee7749d8f8 "/proc/sys/net/ipv4/ip_local_port_range", mode=<optimized out>, 
    mode@entry=0x7fee7749b4a1 "r", is32not64=is32not64@entry=1) at fileops.c:281
#3  0x00007fee75f6806d in __fopen_internal (
    filename=filename@entry=0x7fee7749d8f8 "/proc/sys/net/ipv4/ip_local_port_range", 
    mode=mode@entry=0x7fee7749b4a1 "r", is32=is32@entry=1) at iofopen.c:75
#4  0x00007fee75f680fe in _IO_new_fopen (
    filename=filename@entry=0x7fee7749d8f8 "/proc/sys/net/ipv4/ip_local_port_range", 
    mode=mode@entry=0x7fee7749b4a1 "r") at iofopen.c:86
#5  0x00007fee774854a7 in isc_net_getudpportrange (af=af@entry=2, low=low@entry=0x7ffc30feb844, 
    high=high@entry=0x7ffc30feb846) at ../../../../lib/isc/unix/net.c:863
#6  0x00007fee781114e4 in setsourceports (manager=<optimized out>, mctx=0x5608a5925ae0)
    at ../../../lib/dns/client.c:271
#7  dns_client_createx2 (mctx=0x5608a5925ae0, actx=<optimized out>, taskmgr=0x7fee78b4f010, 
    socketmgr=0x7fee78b50010, timermgr=0x7fee78b53010, options=0, clientp=0x5608a57f00d8 <dhcp_gbl_ctx+56>, 
    localaddr4=0x0, localaddr6=0x0) at ../../../lib/dns/client.c:532
#8  0x00007fee787b4135 in dns_client_init () from /lib64/libomapi.so.0
#9  0x00007fee787b4204 in dhcp_context_create () from /lib64/libomapi.so.0
#10 0x00005608a554a68d in postconf_initialization (quiet=0) at dhcpd.c:1165
#11 0x00005608a55489d8 in main (argc=<optimized out>, argv=<optimized out>) at dhcpd.c:715
(gdb) f 5
#5  0x00007fee774854a7 in isc_net_getudpportrange (af=af@entry=2, low=low@entry=0x7ffc30feb844, 
    high=high@entry=0x7ffc30feb846) at ../../../../lib/isc/unix/net.c:863
863		fp = fopen("/proc/sys/net/ipv4/ip_local_port_range", "r");
(gdb) info source
Current source file is ../../../../lib/isc/unix/net.c
Compilation directory is /usr/src/debug/bind-9.11.26-6.el8.x86_64/export-libs/lib/isc/unix
Located in /usr/src/debug/bind-9.11.26-6.el8.x86_64/lib/isc/unix/net.c
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

There may be other properties leading to requiring this functionality.
Many domains already have this functionality through implementing the following rule:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
kernel_read_net_sysctls(xxx)
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

The same needs to be done for dhcpd_t domain.

Version-Release number of selected component (if applicable):

selinux-policy-3.14.3-80.el8_5.2.noarch

How reproducible:

Always

Steps to Reproduce:
1. Configure dhcpd

ddns-update-style interim;
update-static-leases on;

2. Start the service

Actual results:

AVC:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
type=PROCTITLE msg=audit(03/01/2022 09:49:28.431:246) : proctitle=/usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid 
type=PATH msg=audit(03/01/2022 09:49:28.431:246) : item=0 name=/proc/sys/net/ipv4/ip_local_port_range inode=181594 dev=00:05 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(03/01/2022 09:49:28.431:246) : cwd=/ 
type=SYSCALL msg=audit(03/01/2022 09:49:28.431:246) : arch=x86_64 syscall=openat success=yes exit=8 a0=0xffffff9c a1=0x7f42750628f8 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=37362 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dhcpd exe=/usr/sbin/dhcpd subj=system_u:system_r:dhcpd_t:s0 key=(null) 
type=AVC msg=audit(03/01/2022 09:49:28.431:246) : avc:  denied  { open } for  pid=37362 comm=dhcpd path=/proc/sys/net/ipv4/ip_local_port_range dev="proc" ino=181594 scontext=system_u:system_r:dhcpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1 
type=AVC msg=audit(03/01/2022 09:49:28.431:246) : avc:  denied  { read } for  pid=37362 comm=dhcpd name=ip_local_port_range dev="proc" ino=181594 scontext=system_u:system_r:dhcpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1 
type=AVC msg=audit(03/01/2022 09:49:28.431:246) : avc:  denied  { search } for  pid=37362 comm=dhcpd name=net dev="proc" ino=181592 scontext=system_u:system_r:dhcpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(03/01/2022 09:49:28.432:247) : proctitle=/usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid 
type=SYSCALL msg=audit(03/01/2022 09:49:28.432:247) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x8 a1=0x7fffdcc701c0 a2=0x7fffdcc701c0 a3=0x0 items=0 ppid=1 pid=37362 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dhcpd exe=/usr/sbin/dhcpd subj=system_u:system_r:dhcpd_t:s0 key=(null) 
type=AVC msg=audit(03/01/2022 09:49:28.432:247) : avc:  denied  { getattr } for  pid=37362 comm=dhcpd path=/proc/sys/net/ipv4/ip_local_port_range dev="proc" ino=181594 scontext=system_u:system_r:dhcpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1 
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Expected results:

No AVC and functionality enabled

Additional info:

Solution is
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# cat local_dhcpd_network_sysctls.te 
policy_module(local_dhcpd_network_sysctls, 1.0)

gen_require(`
	type dhcpd_t;
')

kernel_read_net_sysctls(dhcpd_t)
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
Comment 1 Zdenek Pytela 2022-03-01 15:05:07 UTC 
Commit to backport:

commit 67ede1ee34ae0de2c84ecf4a6918b3d5c552173b
Author: Lukas Vrabec <lvrabec>
Date:   Mon Jul 29 15:16:48 2019 +0200

    Allow dhcpd_t domain to read network sysctls.
Comment 2 Milos Malik 2022-03-01 15:40:44 UTC 
Following SELinux denial appeared in enforcing mode:
----
type=PROCTITLE msg=audit(03/01/2022 10:28:24.630:313) : proctitle=/usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid 
type=PATH msg=audit(03/01/2022 10:28:24.630:313) : item=0 name=/proc/sys/net/ipv4/ip_local_port_range nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(03/01/2022 10:28:24.630:313) : cwd=/ 
type=SYSCALL msg=audit(03/01/2022 10:28:24.630:313) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f18e48d8918 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=5817 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dhcpd exe=/usr/sbin/dhcpd subj=system_u:system_r:dhcpd_t:s0 key=(null) 
type=AVC msg=audit(03/01/2022 10:28:24.630:313) : avc:  denied  { search } for  pid=5817 comm=dhcpd name=net dev="proc" ino=11492 scontext=system_u:system_r:dhcpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0 
----

# rpm -qa selinux\* dhcp\* | sort
dhcp-client-4.3.6-47.el8.x86_64
dhcp-common-4.3.6-47.el8.noarch
dhcp-libs-4.3.6-47.el8.x86_64
dhcp-server-4.3.6-47.el8.x86_64
selinux-policy-3.14.3-91.el8.noarch
selinux-policy-targeted-3.14.3-91.el8.noarch
#
Comment 13 errata-xmlrpc 2022-11-08 10:43:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7691