1152163 – dhcpd fails becuase of selinux violation

Bug 1152163 - dhcpd fails becuase of selinux violation

Summary: dhcpd fails becuase of selinux violation

Keywords:
Status:	CLOSED EOL
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	rhel-osp-installer
Sub Component:
Version:	Foreman (RHEL 6)
Hardware:	All
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	Installer
Assignee:	Mike Burns
QA Contact:	Omri Hochman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1158941 1161537
TreeView+	depends on / blocked

Reported:	2014-10-13 14:01 UTC by Jeff Dexter
Modified:	2016-09-29 13:24 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1161537 (view as bug list)
Environment:
Last Closed:	2016-09-29 13:24:04 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1158941	0	unspecified	CLOSED	setting up default capsule failed with dhcp error	2021-02-22 00:41:40 UTC

Internal Links: 1158941

Description Jeff Dexter 2014-10-13 14:01:34 UTC

Description of problem:
When installing Foreman/Staypuft networkings setup fails due to dhcpd service 
not starting



Version-Release number of selected component (if applicable):
rhel-osp-installer-0.3.6-1.el6ost.noarch


How reproducible:
100% on 2 tries

Steps to Reproduce:
1. Clean RHEL6.5 install 
2. yum install rhel-osp-installer
3. 

Actual results:
[ERROR 2014-10-10 22:07:31 main] Repeating errors encountered during run:
[ERROR 2014-10-10 22:07:31 main]  Could not start Service[dhcpd]: Execution of '/sbin/service dhcpd start' returned 1: Starting dhcpd: [FAILED]
[ERROR 2014-10-10 22:07:31 main]  /Stage[main]/Dhcp/Service[dhcpd]/ensure: change from stopped to running failed: Could not start Service[dhcpd]: Execution of '/sbin/service dhcpd start' returned 1: Starting dhcpd: [FAILED]

Expected results:
install correctly

Additional info:

type=AVC msg=audit(1412993243.527:416): avc:  denied  { chown } for  pid=5194 comm="dhcpd" capability=0  scontext=unconfined_u:system_r:dhcpd_t:s0 tcontext=unconfined_u:system_r:dhcpd_t:s0 tclass=capability
type=SYSCALL msg=audit(1412993243.527:416): arch=c000003e syscall=93 success=no exit=-1 a0=6 a1=b1 a2=b1 a3=0 items=0 ppid=5193 pid=5194 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=28 comm="dhcpd" exe="/usr/sbin/dhcpd" subj=unconfined_u:system_r:dhcpd_t:s0 key=(null)


Workaround
setenforce 0, dhcpd starts, and installer finishes on next run.

Comment 3 Mike Burns 2014-10-13 17:41:10 UTC

What version of selinux-policy and foreman-selinux are installed?

Comment 4 stuart.stent 2014-10-17 19:20:03 UTC

I see the same problem here.

selinux-policy-3.7.19-231.el6.noarch
foreman-selinux-1.6.0.14-1.el6sat.noarch

Comment 5 Ryan Hallisey 2014-10-20 18:06:23 UTC

allow dhcpd_t self:capability chown;

This already exists in rhel7.  It just needs to be added to rhel6.

Comment 6 Jason Montleon 2014-10-30 15:29:41 UTC

Which version of the dhcp package are you using?

I believe you can do this by installing RHEL 6.5, registering to 6Server, not updating, and then installing dhcp which grabs the latest 6.6 package

with selinux-policy-3.7.19-260.el6.noarch:
#!!!! This avc is allowed in the current policy
allow dhcpd_t self:capability chown;

Really the bug in my opinion is that the dhcp package doesn't require a new enough selinux-policy package

Comment 7 Jason Montleon 2014-10-30 15:31:48 UTC

*** Bug 1158941 has been marked as a duplicate of this bug. ***

Comment 8 Miroslav Grepl 2014-11-24 12:34:04 UTC

commit 30d7c568dcf280caa308292bdc8f00eff9b29eab
Author: Lukas Vrabec <lvrabec>
Date:   Tue Apr 29 12:16:30 2014 +0200

    Added chown capability to dhcpd_t domain

Comment 10 Jaromir Coufal 2016-09-29 13:24:04 UTC

Closing list of bugs for RHEL OSP Installer since its support cycle has already ended [0]. If there is some bug closed by mistake, feel free to re-open.

For new deployments, please, use RHOSP director (starting with version 7).

-- Jaromir Coufal
-- Sr. Product Manager
-- Red Hat OpenStack Platform

[0] https://access.redhat.com/support/policy/updates/openstack/platform

Note You need to log in before you can comment on or make changes to this bug.