Bug 2371297
| Summary: | systemd-networkd: DHCPv4 server: Failed to save leases, ignoring: Permission denied | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Scott Schmit <i.grok> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 42 | CC: | dwalsh, lvrabec, mmalik, mspehar, omosnacek, pkoncity, vmojzis, zbyszek, zpytela |
| Target Milestone: | --- | Flags: | zpytela:
mirror+
|
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-42.5-1.fc42 | Doc Type: | --- |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2025-08-12 00:57:07 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Hi, Can you set the system to permissive mode, enable full auditing and gather data? setenforce 0 https://fedoraproject.org/wiki/SELinux/Debugging#Enable_full_auditing *** Bug 2344538 has been marked as a duplicate of this bug. *** I submitted a PR, I think it should fix the issue. So we don't need the log now. FEDORA-2025-dde3c4a0f1 (selinux-policy-42.5-1.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2025-dde3c4a0f1 FEDORA-2025-dde3c4a0f1 has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-dde3c4a0f1` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-dde3c4a0f1 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. A mistake has been made, this bz will actually be fixed by the next build. FEDORA-2025-dde3c4a0f1 (selinux-policy-42.5-1.fc42) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report. seems to not be working correctly. current up-to-date fedora shows the following
should this be a separate bug report?
Sep 06 14:32:07 router.redacted systemd[1]: setroubleshootd.service: Consumed 5.082s CPU time, 82.9M memory peak.
Sep 06 14:32:17 router.redacted audit[1090]: AVC avc: denied { read write } for pid=1090 comm="systemd-network" path="/var/lib/systemd/network/dhcp-server-lease/.#eno1f7697ae37cbd6004" dev="sda3" ino=2177342 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:systemd_networkd_var_lib_t:s0 tclass=file permissive=0
Sep 06 14:32:19 router.redacted systemd[1]: Starting setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs...
Sep 06 14:32:19 router.redacted systemd[1]: Started setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs.
Sep 06 14:32:19 router.redacted audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=setroubleshootd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Sep 06 14:32:20 router.redacted setroubleshoot[1460]: failed to retrieve rpm info for path '/var/lib/systemd/network/dhcp-server-lease/.#eno1f7697ae37cbd6004':
Sep 06 14:32:20 router.redacted systemd[1]: Started dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged.
Sep 06 14:32:20 router.redacted audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@1 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Sep 06 14:32:21 router.redacted setroubleshoot[1460]: SELinux is preventing systemd-network from 'read, write' accesses on the file /var/lib/systemd/network/dhcp-server-lease/.#eno1f7697ae37cbd6004. For complete SELinux messages run: sealert -l 51ab8f27-6d79-428c-8120-fe2c1fa37e9c
Sep 06 14:32:21 router.redacted setroubleshoot[1460]: SELinux is preventing systemd-network from 'read, write' accesses on the file /var/lib/systemd/network/dhcp-server-lease/.#eno1f7697ae37cbd6004.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that systemd-network should be allowed read write access on the .#eno1f7697ae37cbd6004 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd-network' --raw | audit2allow -M my-systemdnetwork
# semodule -X 300 -i my-systemdnetwork.pp
The issue as reported has been resolved, this seems to be related, but different. Please open a new bz. Short reproducer or a test hint would also help. |
I am using systemd-networkd, and I'm seeing this in my logs: Jun 09 16:01:21 redacted systemd-networkd[1946]: enp3s0f0: DHCPv4 server: REQUEST (rebinding/renewing) (0xcd130238) Jun 09 16:01:21 redacted systemd-networkd[1946]: enp3s0f0: DHCPv4 server: ACK (0xcd130238) Jun 09 16:01:21 redacted audit[1946]: AVC avc: denied { create } for pid=1946 comm="systemd-network" name="dhcp-server-lease" scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:systemd_networkd_var_lib_t:s0 tclass=dir permissive=0 Jun 09 16:01:21 redacted systemd-networkd[1946]: enp3s0f0: DHCPv4 server: Failed to save leases, ignoring: Permission denied Jun 09 16:01:21 redacted systemd-networkd[1946]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/network1/link/_33 interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=31633 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a Jun 09 16:01:23 redacted systemd[1]: Starting setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs... Jun 09 16:01:23 redacted systemd[1]: Started setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs. Jun 09 16:01:23 redacted audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=setroubleshootd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Jun 09 16:01:23 redacted systemd[1]: Started dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged. Jun 09 16:01:23 redacted audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@21168 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Jun 09 16:01:24 redacted setroubleshoot[1002426]: SELinux is preventing systemd-network from create access on the directory dhcp-server-lease. For complete SELinux messages run: sealert -l 267423a5-1007-4607-bac4-ce992d5df576 Jun 09 16:01:24 redacted setroubleshoot[1002426]: SELinux is preventing systemd-network from create access on the directory dhcp-server-lease. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-network should be allowed create access on the dhcp-server-lease directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-network' --raw | audit2allow -M my-systemdnetwork # semodule -X 300 -i my-systemdnetwork.pp Reproducible: Always Steps to Reproduce: I'm not sure but my guess would be: 1. Run a DHCPv4 server via systemd-networkd 2. Have clients accept leases Actual Results: See logs above Expected Results: No error; leases are saved Additional Information: Running ausearch -c 'systemd-network' --raw | audit2allow yields: #============= systemd_networkd_t ============== allow systemd_networkd_t systemd_networkd_var_lib_t:dir create;