Bug 1043211
| Summary: | Cannot create file '/var/cache/ddclient/ddclient.cache' | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | jdow |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.5 | CC: | dwalsh, extras-orphan, jdow, lvrabec, mgrepl, mmalik |
| Target Milestone: | rc | Keywords: | Reopened |
| Target Release: | 6.6 | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-239.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-10-14 07:58:53 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
restorecon -R -v /var/cache Should fix this problem. The problem is the ddclient directory is mislabeled. Did you run the tools by hand? (In reply to Daniel Walsh from comment #1) > restorecon -R -v /var/cache > > Should fix this problem. > > The problem is the ddclient directory is mislabeled. > > Did you run the tools by hand? That does not work Daniel. I ran "restorecon -R -v /var/cache" per a suggestion I found using Google. It did NOT repair the problem. I had to use "semanage fcontext -a -t dhcpc_t '/var/cahce/ddclient(/.*)?'" followed by "restorecon -rv" which swept the dirt under the rug. It's obviously incorrect. ddclient has nothing to do with dhcpc. This is an error in the selinux policies for RHEL/SL 6.2. The ddclient_t setup is awol. Since there is an error I am restoring the status to NEW. {^_^} dhcpc_t is a process label and should not be assigned to a file system. In order to fix this we need to update SELInux Policy for RHEL6. It won't be back ported to 6.2?
{^_^}
Yup, so you will have to add local policy rules. Does # semanage fcontext -a -t dhcp_state_t '/var/cache/ddclient(/.*)?' # restorecon -R -v /var/cache/ddclient Fix your problem? (In reply to Daniel Walsh from comment #6) > Does > > # semanage fcontext -a -t dhcp_state_t '/var/cache/ddclient(/.*)?' > # restorecon -R -v /var/cache/ddclient > > Fix your problem? So far that works. I've been testing in Permissive mode 3 hours. Now I'm testing in Enforcing mode. And now a few hours later I have seen no failures as I had been before messing around with the dhcp_t version of that semanage command. It seems like a rude hack. But, it did seem to make it all function properly. That is a good thing when you have to make it work and can't afford being a purist. {^_^} We don't ship ddclient policy in RHEL6. Milos, do you remember for a reason? The ddclient package is not available from usual RHEL repositories, but comes from EPEL. I don't know if this is the reason you wanted to hear. OK, where is the complaint desk for EPEL? It really ought to be fixed up, although the sites for which it's appropriate are falling like flies. It sure took a long time to come up with this answer. (It's sort of like the IRS admitting to destroying a disk full of incriminating emails, isn't it?)
{^_^}
Hi Lukas and Mirekl, could you backport the ddclient policy from RHEL-7.0 to RHEL-6.6 ? That would solve the problem. Sure, I going to do it. done. patch sent Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1568.html |
Description of problem: For some time now ddclient has not been working quite right. I made some changes that finally brought to light the reason for this. I removed the tweaked ddclient.conf, then yum removed ddclient, yum install ddclient, and finally edited the ddclient.conf file to make it happy. I started getting errors. This sequence is typical: Dec 14 14:40:29 me2 ddclient[5711]: WARNING: updating xxxx.dyndns.org: nochg: No update required; unnecessary attempts to change to the current address are considered abusive Dec 14 14:40:29 me2 ddclient[5711]: FATAL: Cannot create file '/var/cache/ddclient/ddclient.cache'. (Permission denied) I figured it's not nice to abuse the kind folks at dyndns so I dug further into it. "setenforce 0" allows it to run properly. ddclient is running as a daemon from the computer startup processes. So I dug into the audit logs. These two lines do not look right. type=AVC msg=audit(1387064159.179:461956): avc: denied { getattr } for pid=6296 comm="ddclient" path="/var/cache/ddclient/ddclient.cache" dev=dm-0 ino=2621901 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file type=SYSCALL msg=audit(1387064159.179:461956): arch=c000003e syscall=4 success=yes exit=0 a0=1b234a0 a1=1b02130 a2=1b02130 a3=28 items=0 ppid=6281 pid=6296 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=10540 comm="ddclient" exe="/usr/bin/perl" subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null) ddclient with a dhcpc_t tag? I note there does not seem to be a ddclient_t or similar tag on the system. Version-Release number of selected component (if applicable): SL6.2 ddclient.noarch 3.8.1-1.el6 @epel How reproducible: Survives an uninstall/reinstall cycle. Steps to Reproduce: 1. service ddclient start 2. 3. Actual results: type=AVC msg=audit(1387064159.179:461956): avc: denied { getattr } for pid=6296 comm="ddclient" path="/var/cache/ddclient/ddclient.cache" dev=dm-0 ino=2621901 scontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file type=SYSCALL msg=audit(1387064159.179:461956): arch=c000003e syscall=4 success=yes exit=0 a0=1b234a0 a1=1b02130 a2=1b02130 a3=28 items=0 ppid=6281 pid=6296 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=10540 comm="ddclient" exe="/usr/bin/perl" subj=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null) Expected results: The "denied" is not expected. That should be allowed. Additional info: At the moment I am running "setenforce 0". I would like to change that without getting these log warnings: Dec 14 14:40:29 me2 ddclient[5711]: WARNING: updating w6mku.dyndns.org: nochg: No update required; unnecessary attempts to change to the current address are considered abusive Dec 14 14:40:29 me2 ddclient[5711]: FATAL: Cannot create file '/var/cache/ddclient/ddclient.cache'. (Permission denied) {^_^}