Bug 483747

Summary: selinux denies dhclient-script to update configuration files
Product: [Fedora] Fedora Reporter: Vadym Chepkov <vchepkov>
Component: dhcpAssignee: David Cantrell <dcantrell>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: low    
Version: 11CC: alanh, dcantrell, kcao, wwoods
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 4.1.0-22.fc11 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 509240 (view as bug list) Environment:
Last Closed: 2009-07-11 17:04:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 509240    

Description Vadym Chepkov 2009-02-03 14:05:00 UTC
dhclient-script which is called by dhclient updates numerous configuration files based on information it received from dhcp server.
selinux policy breaks this functionality and, futhermore, configuration file gets deleted:

selinux-policy-targeted-3.5.13-40.fc10.noarch

----
type=SYSCALL msg=audit(1233669374.062:20): arch=40000003 syscall=5 success=no exit=-13 a0=bfcadf57 a1=80c1 a2=180 a3=80c1 items=0 ppid=1984 pid=2013 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="mv" exe="/bin/mv" subj=unconfined_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1233669374.062:20): avc:  denied  { create } for  pid=2013 comm="mv" name="ntp.conf" scontext=unconfined_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=file
----
type=SYSCALL msg=audit(1233669383.075:21): arch=40000003 syscall=5 success=no exit=-13 a0=bfc6bdb8 a1=80c1 a2=180 a3=80c1 items=0 ppid=2418 pid=2446 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="mv" exe="/bin/mv" subj=unconfined_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1233669383.075:21): avc:  denied  { create } for  pid=2446 comm="mv" name="resolv.conf.predhclient.eth0" scontext=unconfined_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file


# ls -l /etc/ntp.conf
-rw-r--r-- 1 root root 1923 2008-08-29 04:26 /etc/ntp.conf

# service network restart
Shutting down interface eth0:  mv: cannot create regular file `/etc/ntp.conf': Permission denied
                                                           [  OK  ]
Shutting down loopback interface:                          [  OK  ]
Bringing up loopback interface:                            [  OK  ]
Bringing up interface eth0:
Determining IP information for eth0...mv: cannot create regular file `/var/lib/dhclient/resolv.conf.predhclient.eth0': Permission denied
 done.
                                                           [  OK  ]
# ls -l /etc/ntp.conf
ls: cannot access /etc/ntp.conf: No such file or directory

Comment 1 Daniel Walsh 2009-02-04 16:10:22 UTC
I believe these are dhcp issues.

Comment 2 David Cantrell 2009-04-17 02:05:20 UTC
A fix for this will be in dhcp-4.0.0-34.fc10, which will appear first in the F-11 updates-testing collection.

It would be EXTREMELY helpful to me if you could test the update when it appears in updates-testing and report back whether or not it works.

Comment 3 Fedora Update System 2009-04-17 21:22:21 UTC
dhcp-4.0.0-34.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/dhcp-4.0.0-34.fc10

Comment 4 Fedora Update System 2009-04-22 00:59:23 UTC
dhcp-4.0.0-34.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update dhcp'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-3825

Comment 5 Vadym Chepkov 2009-04-22 11:28:40 UTC
I use dhclient, not dhcp
No changes in new package:

# rpm -q dhclient
dhclient-4.0.0-34.fc10.i386

# service network restart
Shutting down interface eth0:  rm: cannot remove `/etc/ntp.conf': Permission denied
mv: inter-device move failed: `/var/lib/dhclient/ntp.conf.predhclient.eth0' to `/etc/ntp.conf'; unable to remove target: Permission denied
                                                           [  OK  ]
Shutting down loopback interface:                          [  OK  ]
Bringing up loopback interface:                            [  OK  ]
Bringing up interface eth0:
Determining IP information for eth0...mv: cannot create regular file `/var/lib/dhclient/resolv.conf.predhclient.eth0': Permission denied
mv: cannot create regular file `/var/lib/dhclient/ntp.conf.predhclient.eth0': Permission denied
/sbin/dhclient-script: line 407: /var/lib/dhclient/ntp.conf.predhclient.eth0: No such file or directory
 done.
                                                           [  OK  ]

Comment 6 Vadym Chepkov 2009-04-22 11:33:45 UTC
File didn't get removed though, but it has other issue now:

# tail /etc/ntp.conf

server 10.10.10.1  # added by /sbin/dhclient-script
server 10.10.10.1  # added by /sbin/dhclient-script

It keeps adding the same server after each restart.

Comment 7 David Cantrell 2009-04-22 19:55:29 UTC
dhclient is a subpackage of dhcp.  The entire upstream product is ISC dhcp, which has dhcpd (DHCP server), dhcrelay (DHCP relay agent), and dhclient (DHCP client), along with some other things.  Since it's very common for people to only want the DHCP client software, it is packaged in the 'dhclient' subpackage of the dhcp package.

It looks like a couple of things are happening here.  Thanks for the feedback.  What does 'getenforce' report on your system?

(I am going to be out of town from Apr 23 - Apr 26, so I'll probably look at this problem in detail when I get back.)

Comment 8 Vadym Chepkov 2009-04-22 23:54:03 UTC
# getenforce
Enforcing

Comment 9 Deverick McIntyre 2009-05-05 09:49:53 UTC
Hi David, thanks for the good work.

I am having the same problem and have now installed dhclient-4.0.0-34.fc10.i386
from the test repository with no luck.

Mine is an interesting test case:  a few days ago I booted from a newly downloaded and created Fedora 10 live CD.  The network worked perfectly.  Then I chose the option to install to the harddrive.  After installing and rebooting I faced the above issue.  I opened a terminal window and used yum to update all packages to the latest versions, but still the same issue.

Running Fedora from the live CD still gives me a working network.

My conclusion is that the only difference between running from Live CD and my harddrive is the login account.  Running from the live CD the default login account perhaps has greater privileges or is the member of a necessary group.

If possible I would suggest you can easily replicate these 2 environments using the latest live install ISO. Alternately boot from CD and harddrive and play spot the difference.

Let me know if you need further information or I can help with specific tests.

Comment 10 Vadym Chepkov 2009-06-10 16:25:37 UTC
Just installed Fedora 11, same issue

dhclient-4.1.0-20.fc11.i586

type=SYSCALL msg=audit(1244650795.070:21): arch=40000003 syscall=5 success=no exit=-13 a0=bfb13d92 a1=80c1 a2=180 a3=b800d694 items=0 ppid=1815 pid=1836 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="mv" exe="/bin/mv" subj=unconfined_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1244650795.070:21): avc:  denied  { create } for  pid=1836 comm="mv" name="resolv.conf.predhclient.eth0" scontext=unconfined_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file

Comment 11 Fedora Update System 2009-06-27 03:01:37 UTC
dhcp-4.0.0-36.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/dhcp-4.0.0-36.fc10

Comment 12 Alan Hamilton 2009-06-27 03:36:21 UTC
I'm also getting dhcp SELINUX errors.

type=AVC msg=audit(1246071567.086:103): avc:  denied  { open } for  pid=15377 comm="domainname" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
type=SYSCALL msg=audit(1246071567.086:103): arch=c000003e syscall=2 success=yes exit=0 a0=7fff69ee7250 a1=0 a2=7fff69ee725c a3=7fff69ee7000 items=0 ppid=15364 pid=15377 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="domainname" exe="/bin/hostname" subj=system_u:system_r:hostname_t:s0 key=(null)
type=AVC msg=audit(1246071567.093:104): avc:  denied  { read } for  pid=15380 comm="mv" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
type=AVC msg=audit(1246071567.093:104): avc:  denied  { open } for  pid=15380 comm="mv" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
type=SYSCALL msg=audit(1246071567.093:104): arch=c000003e syscall=2 success=yes exit=0 a0=7fffb8ad1e50 a1=0 a2=7fffb8ad1e5c a3=7fffb8ad1c00 items=0 ppid=15364 pid=15380 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mv" exe="/bin/mv" subj=system_u:system_r:dhcpc_t:s0 key=(null)

Comment 13 David Cantrell 2009-06-27 10:12:38 UTC
dhcp-4.1.0-22.fc11 is available in F-11 updates-testing to address these issues.  dhcp-4.0.0-36.fc10 is available in F-10 updates-testing to address these issues.

The original issue reported refers to the SELinux errors for the /bin/mv command, so that's what these updates clear up.  You may or may not still see the hostname denial (I am working on this as a separate issue).

Other denials that appear when you do an ifup or 'service network start' are not under dhcp's control.  Commands such as domainname and ifconfig are executed by other scripts, so it will fall under the responsibility of another package.

If you try the F-11 or F-10 update for this bug, please check /var/log/messages to see that the /bin/mv denials for dhcp are gone.  If they are, please comment on the update here and indicate whether or not it worked for you:

For F-10:
https://admin.fedoraproject.org/updates/dhcp-4.0.0-36.fc10

For F-11:
https://admin.fedoraproject.org/updates/dhcp-4.1.0-22.fc11

Thanks.

Comment 14 Alan Hamilton 2009-06-27 17:55:16 UTC
No, I'm still seeing it with dhclient-4.1.0-22.fc11.x86_64 installed.  I installed and rebooted, but I get this on every dhcp renewal:

type=AVC msg=audit(1246122931.111:38): avc:  denied  { read } for  pid=3829 comm="domainname" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
type=AVC msg=audit(1246122931.111:38): avc:  denied  { open } for  pid=3829 comm="domainname" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
type=SYSCALL msg=audit(1246122931.111:38): arch=c000003e syscall=2 success=yes exit=0 a0=7ffff07500f0 a1=0 a2=7ffff07500fc a3=7ffff074fea0 items=0 ppid=3816 pid=3829 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="domainname" exe="/bin/hostname" subj=system_u:system_r:hostname_t:s0 key=(null)
type=AVC msg=audit(1246122931.115:39): avc:  denied  { read } for  pid=3830 comm="mv" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
type=AVC msg=audit(1246122931.115:39): avc:  denied  { open } for  pid=3830 comm="mv" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
type=SYSCALL msg=audit(1246122931.115:39): arch=c000003e syscall=2 success=yes exit=0 a0=7fff8f094550 a1=0 a2=7fff8f09455c a3=7fff8f094300 items=0 ppid=3816 pid=3830 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mv" exe="/bin/mv" subj=system_u:system_r:dhcpc_t:s0 key=(null)

Comment 15 David Cantrell 2009-06-30 20:32:22 UTC
Alan,

Do you have ypbind installed?

Comment 16 Fedora Update System 2009-06-30 21:32:42 UTC
dhcp-4.1.0-22.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update dhcp'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-7128

Comment 17 Alan Hamilton 2009-07-01 12:34:21 UTC
Good call. Yes, I did have ypbind installed.  I tried removing it, and the selinux errors stopped.

Comment 18 David Cantrell 2009-07-01 19:30:03 UTC
(In reply to comment #14)
> No, I'm still seeing it with dhclient-4.1.0-22.fc11.x86_64 installed.  I
> installed and rebooted, but I get this on every dhcp renewal:
> 
> type=AVC msg=audit(1246122931.111:38): avc:  denied  { read } for  pid=3829
> comm="domainname" name="mls" dev=selinuxfs ino=12
> scontext=system_u:system_r:hostname_t:s0
> tcontext=system_u:object_r:security_t:s0 tclass=file
> type=AVC msg=audit(1246122931.111:38): avc:  denied  { open } for  pid=3829
> comm="domainname" name="mls" dev=selinuxfs ino=12
> scontext=system_u:system_r:hostname_t:s0
> tcontext=system_u:object_r:security_t:s0 tclass=file

I think domainname is also run by the nis.sh helper script (see below).

> type=SYSCALL msg=audit(1246122931.111:38): arch=c000003e syscall=2 success=yes
> exit=0 a0=7ffff07500f0 a1=0 a2=7ffff07500fc a3=7ffff074fea0 items=0 ppid=3816
> pid=3829 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="domainname" exe="/bin/hostname"
> subj=system_u:system_r:hostname_t:s0 key=(null)

This is fixed in a recent selinux-policy update.

> type=AVC msg=audit(1246122931.115:39): avc:  denied  { read } for  pid=3830
> comm="mv" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:dhcpc_t:s0
> tcontext=system_u:object_r:security_t:s0 tclass=file
> type=AVC msg=audit(1246122931.115:39): avc:  denied  { open } for  pid=3830
> comm="mv" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:dhcpc_t:s0
> tcontext=system_u:object_r:security_t:s0 tclass=file
> type=SYSCALL msg=audit(1246122931.115:39): arch=c000003e syscall=2 success=yes
> exit=0 a0=7fff8f094550 a1=0 a2=7fff8f09455c a3=7fff8f094300 items=0 ppid=3816
> pid=3830 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="mv" exe="/bin/mv"
> subj=system_u:system_r:dhcpc_t:s0 key=(null)  

Since you have ypbind installed, you have /etc/dhcp/dhclient.d/nis.sh, which is the helper script to handle NIS options for dhclient-script.  This helper script is running 'mv'.  It needs to be updated to not use mv, but rather cp with a context preserve -or- it can do what ntp.sh and dhclient-script do and read in the contents of the file to move to a variable and echo it out to the file you want to move it to.

The domainname AVC message will probably require an selinux policy change.

A new bug should be opened for ypbind that details this problem.

Comment 19 Fedora Update System 2009-07-11 17:04:22 UTC
dhcp-4.1.0-22.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2009-07-11 17:09:04 UTC
dhcp-4.0.0-36.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.