Bug 1301854 - dhcpd selinux policy doesn't handle on-commit scripts
dhcpd selinux policy doesn't handle on-commit scripts
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.2
All Linux
unspecified Severity medium
: rc
: ---
Assigned To: Lukas Vrabec
Eva Mrakova
:
Depends On:
Blocks: 1330976 1349044
  Show dependency treegraph
 
Reported: 2016-01-26 02:42 EST by Sten Spans
Modified: 2016-11-03 22:41 EDT (History)
11 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-82.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1330976 1349044 (view as bug list)
Environment:
Last Closed: 2016-11-03 22:41:05 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Sten Spans 2016-01-26 02:42:22 EST
Description of problem:

The Selinux policy for dhcpd doesn't support on commit scripts.
For more details on on-commit scripts see:

http://jpmens.net/2011/07/06/execute-a-script-when-isc-dhcp-hands-out-a-new-lease/


Version-Release number of selected component (if applicable):

dhcp-4.2.5-42.el7


How reproducible:


Steps to Reproduce:
1. Enable an on-commit script
2. check the audit log
3. there is no step 3

Actual results:

type=AVC msg=audit(1453792866.181:11697): avc:  denied  { execute } for  pid=3174 comm="dhcpd" name="myscript" dev="dm-0" ino=147660 scontext=system_u:system_r:dhcpd_t:s0 tcontext=unconfined_u:object_r:dhcp_etc_t:s0 tclass=file

Expected results:
A valid selinux file context for on commit scripts which allows execution, documented in dhcpd_selinux (8)

Additional info:

The samba reference policy provides a good example of what would be needed for dhcpd.

optional_policy(`
    type samba_unconfined_script_t;
    type samba_unconfined_script_exec_t;
    domain_type(samba_unconfined_script_t)
    domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t)
    corecmd_shell_entry_type(samba_unconfined_script_t)
    role system_r types samba_unconfined_script_t;

    allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
    allow smbd_t samba_unconfined_script_exec_t:file ioctl;

    unconfined_domain(samba_unconfined_script_t)

    tunable_policy(`samba_run_unconfined',`
        domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
    ',`
        can_exec(smbd_t, samba_unconfined_script_exec_t)
    ')
')
Comment 2 Milos Malik 2016-01-26 03:44:59 EST
What is the usual location for such scripts?
Comment 3 Sten Spans 2016-01-26 04:51:24 EST
There doesn't seem to be a default location, a subdir below /etc/dhcp would make sense I guess. I've opted for '/etc/dhcp/scripts' but am happy to change to a better option.
Comment 4 Miroslav Grepl 2016-02-12 01:25:47 EST
Let's ask Jiri.
Comment 5 Jiri Popelka 2016-02-12 09:14:57 EST
+1 to something below /etc/dhcp/

We already have /etc/dhcp/dhclient.d/ for dhclient-related scripts, so my first thought was /etc/dhcp/dhcpd.d/
But then I realized that the execute() statement can be used not only with dhcpd but with dhclient as well, because the RELNOTES says:
"This permits dhcpd or dhclient to execute a named external program
 with command line arguments specified from other configuration language."

Also as dhclient-script(8) says the additional dhclient-{enter/exit/up/down}-hooks scripts that further extend dhclient-script's functionality should be placed into /etc/dhcp/

So maybe just the /etc/dhcp/ without any additional subdirectory ?
Comment 6 Miroslav Grepl 2016-02-25 11:03:44 EST
Scripts should be labeled as bin_t located in /etc/dhcp.

Sten,
did you get AVCs for your case?
Comment 7 Sten Spans 2016-02-26 02:48:17 EST
The AVC I got is shown in my initial report:

type=AVC msg=audit(1453792866.181:11697): avc:  denied  { execute } for  pid=3174 comm="dhcpd" name="myscript" dev="dm-0" ino=147660 scontext=system_u:system_r:dhcpd_t:s0 tcontext=unconfined_u:object_r:dhcp_etc_t:s0 tclass=file


However this does show that the file is labelled as dhcp_etc_t, which is the default for /etc/dhcp. When I change the context to bin_t the on-commit script indeed works.

> chcon -t bin_t /etc/dhcp/myscript.py
> ls -aZ /etc/dhcp/myscript.py
-rwxr-xr-x. root root unconfined_u:object_r:bin_t:s0   /etc/dhcp/myscript.py


Is this recommended type for dhcp script documented somewhere? Should it be?
Comment 8 Miroslav Grepl 2016-03-14 03:41:02 EDT
OK, O overlooked. 

The problem is /etc/dhcp is a directory for config files. It would be great to have subdir for these scripts.

We can define a generic labeling for /etc/dhcp to have bin_t as a default label and have more specific labels for config files. But I don't see it as a good solution.
Comment 9 Jiri Popelka 2016-03-14 07:11:41 EDT
Then either '/etc/dhcp/scripts' (per comment #3) or '/etc/dhcp/on-commit-scripts'. Sten, which one do you like more ?
Comment 10 Sten Spans 2016-03-15 06:18:25 EDT
/etc/dhcp/scripts would make the most sense. 

Running scripts is possible for expiry and release as well, so hard-coding "commit" in the directory name doesn't really seem logical.

https://deepthought.isc.org/article/AA-01094/0/Adding-support-for-on-commit-on-expire-and-on-release-statements-in-DHCPv6.html
Comment 11 Miroslav Grepl 2016-04-28 10:10:36 EDT
(In reply to Sten Spans from comment #10)
> /etc/dhcp/scripts would make the most sense. 
> 
> Running scripts is possible for expiry and release as well, so hard-coding
> "commit" in the directory name doesn't really seem logical.
> 
> https://deepthought.isc.org/article/AA-01094/0/Adding-support-for-on-commit-
> on-expire-and-on-release-statements-in-DHCPv6.html

Ok do you need a bug?
Comment 12 Lukas Vrabec 2016-06-22 07:07:13 EDT
I'll add bin_t label for /etc/dhcp/scripts. 

Jiri, what is state of this issue from your side? 

Thank you.
Comment 13 Tomáš Hozza 2016-06-22 07:27:29 EDT
Pavel Simerda is the new owner of DHCP component.
Comment 14 Jiri Popelka 2016-06-22 07:43:11 EDT
(In reply to Lukas Vrabec from comment #12)
> I'll add bin_t label for /etc/dhcp/scripts. 

OK

> Jiri, what is state of this issue from your side? 

I haven't changed anything in dhcp.
Pavel, I think we should add the /etc/dhcp/scripts/ with just README saying that it's a directory for on-commit scripts.
Comment 15 Lukas Vrabec 2016-06-22 11:10:21 EDT
I added label for it. From selinux-policy side is issue fixed.
Comment 19 errata-xmlrpc 2016-11-03 22:41:05 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html

Note You need to log in before you can comment on or make changes to this bug.