Bug 407901
| Summary: | dnsmasq denied access to /var/lib/misc/dnsmasq.leases | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Aaron Kaplan <04mvs89> |
| Component: | dnsmasq | Assignee: | Jima <jima> |
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 8 | CC: | briemers, covex, dwalsh, mauricio.teixeira, pb |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-01-24 19:27:36 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
dnsmasq should not be using this directory. Please create a directory for use by dnsmasq and I will set the labeling properly. /var/lib/dnsmasq/ sound sane? Daniel: I've made the necessary changes to dnsmasq in Rawhide; if you could work your selinux magic to make access to /var/lib/dnsmasq/ legal, I'd appreciate it. Thanks! Hi, @Aaron: you should store local definitions to /etc/selinux/targeted/contexts/files/file_contexts.local @Jima: Aaron and your hints are working, but I see one additional issue: one has to change the default location to the mentioned one or change at least the default configuration file. (In reply to comment #4) > @Jima: Aaron and your hints are working, but I see one additional issue: one has > to change the default location to the mentioned one or change at least the > default configuration file. Sounds like someone hasn't seen the disgusting hackery I had to put in Rawhide's dnsmasq. The %post for the Rawhide dnsmasq changes /var/lib/misc to /var/lib/dnsmasq in /etc/dnsmasq.conf. It's not great, but it should keep most people working, and make dnsmasq selinux-compliant. Daniel, what's the status of the labeling in Rawhide? Did you get it squared away? Should be fixed in rawhide now. Fixed in selinux-policy-3.2.3-18.fc9 Fedora 8 also has it. Fixed in selinux-policy-3.0.8-82.fc8 Awesome, thanks Daniel. I'm going to close this as RAWHIDE; due to the hacky nature of the directory-change workaround, I'm rather hesitant to push it for F8/F7. Can you point me to selinux-policy-3.0.8-82.fc8, I did not found it. BTW: I hope, write to the file is also allowed: #============= dnsmasq_t ============== allow dnsmasq_t system_crond_var_lib_t:file write; Sorry should have said 81. 82 is not released yet. 81 should be in fedora testing. It is allowed to write to /var/lib/dnsmasq which is labeled dnsmasq_leases_t (I believe). Hm, something wrong with fedora updates testing, is it not up-to-date? # date Sa 26. Jan 11:47:23 CET 2008 # yum list --enablerepo updates-testing selinux-policy* Loading "fastestmirror" plugin Loading "security" plugin Loading "presto" plugin Loading mirror speeds from cached hostfile * updates-testing: download.fedora.redhat.com * updates: ftp.crc.dk * adobe-linux-i386: linuxdownload.adobe.com * fedora: ftp.crc.dk Setting up and reading Presto delta metadata updates-testing 100% |=========================| 2.3 kB 00:00 No Presto metadata available for updates-testing No Presto metadata available for updates No Presto metadata available for adobe-linux-i386 No Presto metadata available for fedora Installed Packages selinux-policy.noarch 3.0.8-76.fc8 installed selinux-policy-targeted.noarch 3.0.8-76.fc8 installed Available Packages selinux-policy-devel.noarch 3.0.8-76.fc8 updates selinux-policy-mls.noarch 3.0.8-76.fc8 updates Problem persists in F8, even though change log says otherwise...
# rpm -qa selinux*
selinux-policy-targeted-3.0.8-81.fc8
selinux-policy-3.0.8-81.fc8
selinux-policy-devel-3.0.8-81.fc8
avc: denied { search } for comm=dnsmasq dev=sda6 egid=0 euid=0
exe=/usr/sbin/dnsmasq exit=4 fsgid=0 fsuid=0 gid=0 items=0 name=misc pid=17794
scontext=unconfined_u:system_r:dnsmasq_t:s0 sgid=0
subj=unconfined_u:system_r:dnsmasq_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:system_crond_var_lib_t:s0 tty=pts1 uid=0
Different issue maybe?
Are you using /var/lib/misc or /var/lib/dnsmasq? I haven't pushed the fix to use the latter into F8, due to the hacky nature of the migration script. #dhcp-leasefile=/var/lib/misc/dnsmasq.leases This is the default in the config file. I have never changed it. Your best bet is probably to: # mkdir /var/lib/dnsmasq # mv /var/lib/misc/dnsmasq.leases /var/lib/dnsmasq/ # echo "dhcp-leasefile=/var/lib/dnsmasq/dnsmasq.leases" >> /etc/dnsmasq.conf (since what you quoted is commented out anyway) # service dnsmasq restart After that, SELinux shouldn't complain. This will be the default behavior in F9. You also need a restorecon -R -v /var/lib/dnsmasq/ This is a strange fix for F8 users... :( Dnsmasq just does not work after install, you have to make it manualy. *** Bug 449032 has been marked as a duplicate of this bug. *** *** Bug 468279 has been marked as a duplicate of this bug. *** |
When started, dnsmasq reports: dnsmasq: cannot open or create lease file /var/lib/misc/dnsmasq.leases: Permission denied The selinux log shows: avc: denied { search } for comm=dnsmasq dev=sda2 name=misc pid=3809 scontext=system_u:system_r:dnsmasq_t:s0 tclass=dir tcontext=system_u:object_r:system_crond_var_lib_t:s0 I have worked around this by commenting out the recently-added line /var/lib/misc(/.*)? system_u:object_r:system_crond_var_lib_t:s0 in /etc/selinux/targeted/contexts/files/file_contexts .