Bug 2207798

Summary: dnsmasq: cannot open log /var/log/dnsmasq.log
Product: Red Hat Enterprise Linux 8 Reporter: kmoriguc
Component: dnsmasqAssignee: Petr Menšík <pemensik>
Status: CLOSED ERRATA QA Contact: Petr Sklenar <psklenar>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 8.6CC: juqiao, lmlikith, pdancak, pemensik, psklenar
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: dnsmasq-2.79-30.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-14 15:36:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description kmoriguc 2023-05-16 23:18:32 UTC 
This bug was initially created as a copy of Bug #2024166

I am copying this bug because: 
The issue is very much the same, and the fix has not been introduced to RHEL.


Description of problem:


This had been reported in bug 1663692 two years ago, but apparently has re-surfaced:


============================================
$ grep faci /etc/dnsmasq.d/work.conf 
log-facility=/var/log/dnsmasq.log

$ ls -ldZ /var{,/log{,/dnsmasq.log}}
drwxr-xr-x. 1 root    root    system_u:object_r:var_t:s0              246 Nov 17 02:51 /var
drwxr-xr-x. 1 root    root    system_u:object_r:var_log_t:s0         1230 Nov 17 02:40 /var/log
-rw-rw----. 1 dnsmasq dnsmasq system_u:object_r:dnsmasq_var_log_t:s0 5410 Oct 20 10:44 /var/log/dnsmasq.log

$ systemctl restart dnsmasq.service 
Job for dnsmasq.service failed because the control process exited with error code.
See "systemctl status dnsmasq.service" and "journalctl -xeu dnsmasq.service" for details.

$ journalctl -l | grep dnsm
[....]
Nov 17 14:11:20 host audit[51617]: AVC avc:  denied  { dac_override } for  pid=51617 comm="dnsmasq" capability=1  scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:system_r:dnsmasq_t:s0 tclass=capability permissive=0
Nov 17 14:11:20 host dnsmasq[51615]: dnsmasq: cannot open log /var/log/dnsmasq.log: Permission denied
Nov 17 14:11:20 host dnsmasq[51615]: cannot open log /var/log/dnsmasq.log: Permission denied
Nov 17 14:11:20 host systemd[1]: dnsmasq.service: Control process exited, code=exited, status=3/NOTIMPLEMENTED
Nov 17 14:11:20 host dnsmasq[51615]: FAILED to start up
Nov 17 14:11:20 host systemd[1]: dnsmasq.service: Failed with result 'exit-code'.
Nov 17 14:11:20 host audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dnsmasq comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'


$ ausearch -m avc | grep dnsmasq | tail -1 | audit2allow 
allow dnsmasq_t self:capability dac_override;

============================================


Version-Release number of selected component (if applicable):
dnsmasq-2.86-3.fc35.x86_64

How reproducible:
Always.

Steps to Reproduce:
1. Configure dnsmasq to log its output to a log file
2. Start dnsmasq.
3. dnsmasq is not able to start.

Actual results:
dnsmasq does not start.

Expected results:
dnsmasq should start.

Additional info: Removing log-facility=/var/log/dnsmasq.log from the configuration makes dnsmasq start just fine.
Comment 16 errata-xmlrpc 2023-11-14 15:36:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: dnsmasq security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:7046