Bug 483747
Summary: | selinux denies dhclient-script to update configuration files | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Vadym Chepkov <vchepkov> | |
Component: | dhcp | Assignee: | David Cantrell <dcantrell> | |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
Severity: | high | Docs Contact: | ||
Priority: | low | |||
Version: | 11 | CC: | alanh, dcantrell, kcao, wwoods | |
Target Milestone: | --- | |||
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | 4.1.0-22.fc11 | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 509240 (view as bug list) | Environment: | ||
Last Closed: | 2009-07-11 17:04:33 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 509240 |
Description
Vadym Chepkov
2009-02-03 14:05:00 UTC
I believe these are dhcp issues. A fix for this will be in dhcp-4.0.0-34.fc10, which will appear first in the F-11 updates-testing collection. It would be EXTREMELY helpful to me if you could test the update when it appears in updates-testing and report back whether or not it works. dhcp-4.0.0-34.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/dhcp-4.0.0-34.fc10 dhcp-4.0.0-34.fc10 has been pushed to the Fedora 10 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update dhcp'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-3825 I use dhclient, not dhcp No changes in new package: # rpm -q dhclient dhclient-4.0.0-34.fc10.i386 # service network restart Shutting down interface eth0: rm: cannot remove `/etc/ntp.conf': Permission denied mv: inter-device move failed: `/var/lib/dhclient/ntp.conf.predhclient.eth0' to `/etc/ntp.conf'; unable to remove target: Permission denied [ OK ] Shutting down loopback interface: [ OK ] Bringing up loopback interface: [ OK ] Bringing up interface eth0: Determining IP information for eth0...mv: cannot create regular file `/var/lib/dhclient/resolv.conf.predhclient.eth0': Permission denied mv: cannot create regular file `/var/lib/dhclient/ntp.conf.predhclient.eth0': Permission denied /sbin/dhclient-script: line 407: /var/lib/dhclient/ntp.conf.predhclient.eth0: No such file or directory done. [ OK ] File didn't get removed though, but it has other issue now: # tail /etc/ntp.conf server 10.10.10.1 # added by /sbin/dhclient-script server 10.10.10.1 # added by /sbin/dhclient-script It keeps adding the same server after each restart. dhclient is a subpackage of dhcp. The entire upstream product is ISC dhcp, which has dhcpd (DHCP server), dhcrelay (DHCP relay agent), and dhclient (DHCP client), along with some other things. Since it's very common for people to only want the DHCP client software, it is packaged in the 'dhclient' subpackage of the dhcp package. It looks like a couple of things are happening here. Thanks for the feedback. What does 'getenforce' report on your system? (I am going to be out of town from Apr 23 - Apr 26, so I'll probably look at this problem in detail when I get back.) # getenforce Enforcing Hi David, thanks for the good work. I am having the same problem and have now installed dhclient-4.0.0-34.fc10.i386 from the test repository with no luck. Mine is an interesting test case: a few days ago I booted from a newly downloaded and created Fedora 10 live CD. The network worked perfectly. Then I chose the option to install to the harddrive. After installing and rebooting I faced the above issue. I opened a terminal window and used yum to update all packages to the latest versions, but still the same issue. Running Fedora from the live CD still gives me a working network. My conclusion is that the only difference between running from Live CD and my harddrive is the login account. Running from the live CD the default login account perhaps has greater privileges or is the member of a necessary group. If possible I would suggest you can easily replicate these 2 environments using the latest live install ISO. Alternately boot from CD and harddrive and play spot the difference. Let me know if you need further information or I can help with specific tests. Just installed Fedora 11, same issue dhclient-4.1.0-20.fc11.i586 type=SYSCALL msg=audit(1244650795.070:21): arch=40000003 syscall=5 success=no exit=-13 a0=bfb13d92 a1=80c1 a2=180 a3=b800d694 items=0 ppid=1815 pid=1836 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="mv" exe="/bin/mv" subj=unconfined_u:system_r:dhcpc_t:s0 key=(null) type=AVC msg=audit(1244650795.070:21): avc: denied { create } for pid=1836 comm="mv" name="resolv.conf.predhclient.eth0" scontext=unconfined_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file dhcp-4.0.0-36.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/dhcp-4.0.0-36.fc10 I'm also getting dhcp SELINUX errors. type=AVC msg=audit(1246071567.086:103): avc: denied { open } for pid=15377 comm="domainname" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file type=SYSCALL msg=audit(1246071567.086:103): arch=c000003e syscall=2 success=yes exit=0 a0=7fff69ee7250 a1=0 a2=7fff69ee725c a3=7fff69ee7000 items=0 ppid=15364 pid=15377 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="domainname" exe="/bin/hostname" subj=system_u:system_r:hostname_t:s0 key=(null) type=AVC msg=audit(1246071567.093:104): avc: denied { read } for pid=15380 comm="mv" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file type=AVC msg=audit(1246071567.093:104): avc: denied { open } for pid=15380 comm="mv" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file type=SYSCALL msg=audit(1246071567.093:104): arch=c000003e syscall=2 success=yes exit=0 a0=7fffb8ad1e50 a1=0 a2=7fffb8ad1e5c a3=7fffb8ad1c00 items=0 ppid=15364 pid=15380 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mv" exe="/bin/mv" subj=system_u:system_r:dhcpc_t:s0 key=(null) dhcp-4.1.0-22.fc11 is available in F-11 updates-testing to address these issues. dhcp-4.0.0-36.fc10 is available in F-10 updates-testing to address these issues. The original issue reported refers to the SELinux errors for the /bin/mv command, so that's what these updates clear up. You may or may not still see the hostname denial (I am working on this as a separate issue). Other denials that appear when you do an ifup or 'service network start' are not under dhcp's control. Commands such as domainname and ifconfig are executed by other scripts, so it will fall under the responsibility of another package. If you try the F-11 or F-10 update for this bug, please check /var/log/messages to see that the /bin/mv denials for dhcp are gone. If they are, please comment on the update here and indicate whether or not it worked for you: For F-10: https://admin.fedoraproject.org/updates/dhcp-4.0.0-36.fc10 For F-11: https://admin.fedoraproject.org/updates/dhcp-4.1.0-22.fc11 Thanks. No, I'm still seeing it with dhclient-4.1.0-22.fc11.x86_64 installed. I installed and rebooted, but I get this on every dhcp renewal: type=AVC msg=audit(1246122931.111:38): avc: denied { read } for pid=3829 comm="domainname" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file type=AVC msg=audit(1246122931.111:38): avc: denied { open } for pid=3829 comm="domainname" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file type=SYSCALL msg=audit(1246122931.111:38): arch=c000003e syscall=2 success=yes exit=0 a0=7ffff07500f0 a1=0 a2=7ffff07500fc a3=7ffff074fea0 items=0 ppid=3816 pid=3829 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="domainname" exe="/bin/hostname" subj=system_u:system_r:hostname_t:s0 key=(null) type=AVC msg=audit(1246122931.115:39): avc: denied { read } for pid=3830 comm="mv" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file type=AVC msg=audit(1246122931.115:39): avc: denied { open } for pid=3830 comm="mv" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file type=SYSCALL msg=audit(1246122931.115:39): arch=c000003e syscall=2 success=yes exit=0 a0=7fff8f094550 a1=0 a2=7fff8f09455c a3=7fff8f094300 items=0 ppid=3816 pid=3830 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mv" exe="/bin/mv" subj=system_u:system_r:dhcpc_t:s0 key=(null) Alan, Do you have ypbind installed? dhcp-4.1.0-22.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update dhcp'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-7128 Good call. Yes, I did have ypbind installed. I tried removing it, and the selinux errors stopped. (In reply to comment #14) > No, I'm still seeing it with dhclient-4.1.0-22.fc11.x86_64 installed. I > installed and rebooted, but I get this on every dhcp renewal: > > type=AVC msg=audit(1246122931.111:38): avc: denied { read } for pid=3829 > comm="domainname" name="mls" dev=selinuxfs ino=12 > scontext=system_u:system_r:hostname_t:s0 > tcontext=system_u:object_r:security_t:s0 tclass=file > type=AVC msg=audit(1246122931.111:38): avc: denied { open } for pid=3829 > comm="domainname" name="mls" dev=selinuxfs ino=12 > scontext=system_u:system_r:hostname_t:s0 > tcontext=system_u:object_r:security_t:s0 tclass=file I think domainname is also run by the nis.sh helper script (see below). > type=SYSCALL msg=audit(1246122931.111:38): arch=c000003e syscall=2 success=yes > exit=0 a0=7ffff07500f0 a1=0 a2=7ffff07500fc a3=7ffff074fea0 items=0 ppid=3816 > pid=3829 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=(none) ses=4294967295 comm="domainname" exe="/bin/hostname" > subj=system_u:system_r:hostname_t:s0 key=(null) This is fixed in a recent selinux-policy update. > type=AVC msg=audit(1246122931.115:39): avc: denied { read } for pid=3830 > comm="mv" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:dhcpc_t:s0 > tcontext=system_u:object_r:security_t:s0 tclass=file > type=AVC msg=audit(1246122931.115:39): avc: denied { open } for pid=3830 > comm="mv" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:dhcpc_t:s0 > tcontext=system_u:object_r:security_t:s0 tclass=file > type=SYSCALL msg=audit(1246122931.115:39): arch=c000003e syscall=2 success=yes > exit=0 a0=7fff8f094550 a1=0 a2=7fff8f09455c a3=7fff8f094300 items=0 ppid=3816 > pid=3830 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=(none) ses=4294967295 comm="mv" exe="/bin/mv" > subj=system_u:system_r:dhcpc_t:s0 key=(null) Since you have ypbind installed, you have /etc/dhcp/dhclient.d/nis.sh, which is the helper script to handle NIS options for dhclient-script. This helper script is running 'mv'. It needs to be updated to not use mv, but rather cp with a context preserve -or- it can do what ntp.sh and dhclient-script do and read in the contents of the file to move to a variable and echo it out to the file you want to move it to. The domainname AVC message will probably require an selinux policy change. A new bug should be opened for ypbind that details this problem. dhcp-4.1.0-22.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. dhcp-4.0.0-36.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. |