| Summary: | SELinux is preventing dhcpd setgid/setuid access | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Jiri Popelka <jpopelka> | ||||||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||||
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | medium | ||||||||||
| Version: | 6.1 | CC: | dwalsh, jbastian, ksrot, mganisin, mmalik | ||||||||
| Target Milestone: | rc | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | selinux-policy-3.7.19-112.el6 | Doc Type: | Bug Fix | ||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2011-12-06 10:18:39 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Bug Depends On: | |||||||||||
| Bug Blocks: | 693381 | ||||||||||
| Attachments: |
|
||||||||||
|
Description
Jiri Popelka
2011-09-12 15:09:11 UTC
We have this in F16 so I think we should back port. Created attachment 522918 [details]
SELinux is preventing /usr/sbin/dhcpd "read"/"write" access on dhcpd.pid.
During testing I've discovered some other alerts I haven't seen before.
Created attachment 522919 [details]
SELinux is preventing /usr/sbin/dhcpd "name_bind" access on <Unknown>.
And this one. Not sure what does it mean. I see it when running two dhcpd servers in failover pair.
(In reply to comment #2) > Created attachment 522918 [details] > SELinux is preventing /usr/sbin/dhcpd "read"/"write" access on dhcpd.pid. > > During testing I've discovered some other alerts I haven't seen before. Have you ever started dhcpd by hand? /var/run/dhcpd.pid is mislabeled. (In reply to comment #4) > (In reply to comment #2) > > Created attachment 522918 [details] > > SELinux is preventing /usr/sbin/dhcpd "read"/"write" access on dhcpd.pid. > > > > During testing I've discovered some other alerts I haven't seen before. > > Have you ever started dhcpd by hand? > > /var/run/dhcpd.pid is mislabeled. Yes, that's the problem. So this one is out. Thanks. (In reply to comment #3) > Created attachment 522919 [details] > SELinux is preventing /usr/sbin/dhcpd "name_bind" access on <Unknown>. > > And this one. Not sure what does it mean. I see it when running two dhcpd > servers in failover pair. And this one has turned out to be a user error. I was using wrong ports for the failover protocol. *** Bug 743440 has been marked as a duplicate of this bug. *** There's one more serious problem. See bug #693381, comment #17. When dhcpd starts it writes /var/lib/dhcpd/dhcpd.leases as root:root, then de-roots itself and runs as dhcpd:dhcpd. I changed the ownership of /var/lib/dhcpd/ to dhcpd:dhcpd so dhcpd is able to write leases there as dhcpd:dhcpd. Problem is that SELinux doesn't allow dhcpd to make the initial record as root:root. Yes, since dac_override is needed in this case. Added to selinux-policy-3.7.19-120.el6 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1511.html |