Bug 714556

Summary: SELinux is preventing /usr/sbin/dhcpd from 'write' accesses on the file dhcpd.pid.
Product: [Fedora] Fedora Reporter: Edgar Hoch <edgar.hoch>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 15CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:36419af4ac4a05ee0f32a782d66ce6e7c96d72b4f290413d58bfc15a27559889
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-20 06:42:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Edgar Hoch 2011-06-20 04:46:28 UTC 
SELinux is preventing /usr/sbin/dhcpd from 'write' accesses on the file dhcpd.pid.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that dhcpd should be allowed write access on the dhcpd.pid file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep dhcpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:dhcpd_t:s0
Target Context                unconfined_u:object_r:var_run_t:s0
Target Objects                dhcpd.pid [ file ]
Source                        dhcpd
Source Path                   /usr/sbin/dhcpd
Port                          <Unbekannt>
Host                          (removed)
Source RPM Packages           dhcp-4.2.1-9.P1.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-26.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.38.7-30.fc15.x86_64 #1 SMP Fri
                              May 27 05:15:53 UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Mo 20 Jun 2011 06:41:05 CEST
Last Seen                     Mo 20 Jun 2011 06:41:05 CEST
Local ID                      d24c0ccf-68db-45dd-be5b-92846ea0a43f

Raw Audit Messages
type=AVC msg=audit(1308544865.537:8153): avc:  denied  { write } for  pid=22240 comm="dhcpd" name="dhcpd.pid" dev=tmpfs ino=2481946 scontext=system_u:system_r:dhcpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file


type=SYSCALL msg=audit(1308544865.537:8153): arch=x86_64 syscall=open success=no exit=EACCES a0=7f5674cec920 a1=80241 a2=1a4 a3=2 items=0 ppid=1 pid=22240 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=dhcpd exe=/usr/sbin/dhcpd subj=system_u:system_r:dhcpd_t:s0 key=(null)

Hash: dhcpd,dhcpd_t,var_run_t,file,write

audit2allow

#============= dhcpd_t ==============
allow dhcpd_t var_run_t:file write;

audit2allow -R

#============= dhcpd_t ==============
allow dhcpd_t var_run_t:file write;
Comment 1 Miroslav Grepl 2011-06-20 06:42:38 UTC 
It looks you have started dhcpd directly. 

It means without using service script. This caused the pid file was created with the wrong label since dhcpd was running in the wrong domain.

Execute

# restorecon -R -v /var/run/dhcp*

will fix.