Bug 641176
| Summary: | Selinux does not allow dnsmasq reading /var/run/ppp/resolv.conf file. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Van de Bugger <van.de.bugger> |
| Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 13 | Keywords: | SELinux |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-69.fc13 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-11-11 22:23:01 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Does running restorecon -R -v /var/run Change the context? No, it does not. The context is: $ ls -Z resolv.conf -rw-r--r--. root root system_u:object_r:pppd_var_run_t:s0 resolv.conf BTW, dnsmasq drops itself to user "nobody" group "dip". The AVC you reported was dnsmasq trying to read a tmp directory created by initrc_t. Do you init scripts create something within /tmp that dnsmasq then attempts to read? Sorry, probably I copied the wrong piece. Originally I set up dnsmasq to read /var/run/ppp/resolv.conf, but dnsmasq failed to read this file. Then I created /sbin/ifup-local to copy /var/run/ppp/resolv.conf to /tmp/resolv.conf and changed dnsmasq configuration to read the latter file, but it failed again. The only workaround I found is copying /var/run/ppp/resolv.conf to /etc/resolv.dnsmasq.conf, this file can be read. I will try to reproduce the problem again and attach proper AVC messages. Ok, here is the attempt to read /var/run/ppp/resolv.conf:
Oct 12 23:17:28 antec dnsmasq[8490]: started, version 2.52 cachesize 1000
Oct 12 23:17:28 antec dnsmasq[8490]: compile time options: IPv6 GNU-getopt DBus no-I18N DHCP TFTP
Oct 12 23:17:28 antec dnsmasq-dhcp[8490]: DHCP, IP range 192.168.56.20 -- 192.168.56.250, lease time 1d
Oct 12 23:17:28 antec dnsmasq-dhcp[8490]: DHCP, IP range 192.168.1.20 -- 192.168.1.250, lease time 1d
Oct 12 23:17:28 antec dnsmasq[8490]: failed to access /var/run/ppp/resolv.conf: Permission denied
Oct 12 23:17:28 antec dnsmasq[8490]: read /etc/hosts - 8 addresses
Oct 12 23:17:28 antec kernel: type=1400 audit(1286911048.304:12): avc: denied { search } for pid=8490 comm="dnsmasq" name="ppp" dev=sda3 ino=17285 scontext=unconfined_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:pppd_var_run_t:s0 tclass=dir
Miroslav add optional_policy(` ppp_read_pid_files(dnsmasq_t) ') But change ppp_read_pid_files to use read_files_pattern($1, pppd_var_run_t, pppd_var_run_t) Fixed in selinux-policy-3.7.19-66.fc13 selinux-policy-3.7.19-69.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-69.fc13 selinux-policy-3.7.19-69.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-69.fc13 Just checked. The bug is fixed. Thanks! selinux-policy-3.7.19-69.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: NetworkManager is turned off; internet connection made through network service; type of connection is xDSL. Here is my ifcfg-ppp0 file: DEVICE=ppp0 BOOTPROTO=dialup TYPE=xDSL NM_CONTROLLED=no ONBOOT=yes USERCTL=no PEERDNS=yes DNS1=127.0.0.1 DNS2=127.0.0.1 IPV6INIT=no PIDFILE=/var/run/pppoe-adsl.pid FIREWALL=NONE PING=. PPPOE_TIMEOUT=80 LCP_FAILURE=3 LCP_INTERVAL=20 CLAMPMSS=1412 CONNECT_POLL=6 CONNECT_TIMEOUT=60 IDLETIMEOUT=600 PERSIST=yes SYNCHRONOUS=no DEFROUTE=yes USER=v1160310 ETH=eth1 PROVIDER=DomRu DEMAND=no When ppp0 is up, /etc/resolv.conf contains: nameserver 127.0.0.1 nameserver 127.0.0.1 These lines are required to let dnsmasq work. /var/run/ppp/resolv.conf contains: nameserver 91.144.186.3 nameserver 91.144.184.3 I want dnsmasq read this file, /etc/dnsmasq.conf contains: ... resolv-file=/var/run/ppp/resolv.conf ... However, dnsmask cannot read this file. File /var/log/messages contains: ... Oct 8 02:31:21 antec dnsmasq[22642]: started, version 2.52 cachesize 1000 Oct 8 02:31:21 antec dnsmasq[22642]: compile time options: IPv6 GNU-getopt DBus no-I18N DHCP TFTP Oct 8 02:31:21 antec dnsmasq-dhcp[22642]: DHCP, IP range 192.168.1.20 -- 192.168.1.250, lease time 1d Oct 8 02:31:21 antec dnsmasq[22642]: failed to access /tmp/dnsmasq/resolv.conf: Permission denied Oct 8 02:31:21 antec dnsmasq[22642]: read /etc/hosts - 8 addresses Oct 8 02:31:21 antec kernel: type=1400 audit(1286490681.913:168): avc: denied { search } for pid=22642 comm="dnsmasq" name="dnsmasq" dev=sda3 ino=9437947 sco ntext=unconfined_u:system_r:dnsmasq_t:s0 tcontext=unconfined_u:object_r:initrc_tmp_t:s0 tclass=dir Oct 8 02:31:44 antec kernel: type=1400 audit(1286490704.054:169): avc: denied { search } for pid=22642 comm="dnsmasq" name="dnsmasq" dev=sda3 ino=9437947 sco ntext=unconfined_u:system_r:dnsmasq_t:s0 tcontext=unconfined_u:object_r:initrc_tmp_t:s0 tclass=dir Oct 8 02:31:46 antec kernel: type=1400 audit(1286490706.078:170): avc: denied { search } for pid=22642 comm="dnsmasq" name="dnsmasq" dev=sda3 ino=9437947 sco ntext=unconfined_u:system_r:dnsmasq_t:s0 tcontext=unconfined_u:object_r:initrc_tmp_t:s0 tclass=dir Since Selinux prevents reading /var/run/ppp/resolv.conf file, dns does not know upstream nameservers and does not provide DNS. Version-Release number of selected component (if applicable): Fedora 13 dnsmasq-2.52-1.fc13.x86_64 selinux-policy-targeted-3.7.19-62.fc13.noarch selinux-policy-3.7.19-62.fc13.noarch How reproducible: Always.