Bug 867291

Summary: chown capability for dhcpd_t
Product: [Fedora] Fedora Reporter: Jiri Popelka <jpopelka>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 18CC: bojan, dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1082640 (view as bug list) Environment:
Last Closed: 2012-12-20 16:20:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 866714    
Attachments:
Description Flags
AVC none

Description Jiri Popelka 2012-10-17 09:01:47 UTC 
Created attachment 628601 [details]
AVC

Hi,

would it be possible to have (F18+ would be sufficient) chown capability for dhcpd_t.

Reason:
dhcpd is de-rooting (changing effective user/group ID) itself during start, but before doing it it creates /var/lib/dhcpd/*.leases file. The leases file can't be created after de-rooting because of bug #765967.
In selinux-policy-3.10.0-72.fc16 dhcpd got dac_override to be able to create root:root owned files in /var/lib/dhcpd, which is owned by dhcpd:dhcpd.
Because we need the leases file to be also dhcpd:dhcpd owned the reporter of bug #866714 suggested to chown them after creating, which seems to work but we need to tweak the SELinux policy, see bug #866714, comment #11.
Comment 1 Bojan Smojver 2012-10-17 10:11:03 UTC 
Actually, shouldn't this be fixed in F-17? That is where the original bug is...
Comment 2 Jiri Popelka 2012-10-17 10:21:49 UTC 
I'd rather fix the original bug in F18+ only.
It's not so serious problem and I don't want to introduce some regression as the last time (bug #765967) I tried to fix it.
Comment 3 Miroslav Grepl 2012-10-17 14:33:39 UTC 
Added to -40.fc18
Comment 4 Bojan Smojver 2012-10-17 21:00:34 UTC 
(In reply to comment #2)
> I'd rather fix the original bug in F18+ only.
> It's not so serious problem and I don't want to introduce some regression as
> the last time (bug #765967) I tried to fix it.

Come on - be bold! Just pot it in testing and we'll see...
Comment 5 Bojan Smojver 2012-10-17 21:02:00 UTC 
(In reply to comment #4)
 
> Come on - be bold! Just pot it in testing and we'll see...

Sorry, typo. Put, not pot.
Comment 6 Jiri Popelka 2012-10-18 06:40:06 UTC 
Well, that depends on Miroslav. Mirku, is this viable also in F17 ?
Comment 7 Fedora Update System 2012-10-23 20:35:36 UTC 
selinux-policy-3.11.1-43.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-43.fc18
Comment 8 Fedora Update System 2012-10-26 15:38:30 UTC 
selinux-policy-3.11.1-46.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-46.fc18
Comment 9 Fedora Update System 2012-10-26 19:28:08 UTC 
Package selinux-policy-3.11.1-46.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-46.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-16862/selinux-policy-3.11.1-46.fc18
then log in and leave karma (feedback).
Comment 10 Fedora Update System 2012-12-20 16:21:01 UTC 
selinux-policy-3.11.1-46.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.