Hide Forgot
Description of problem: The Selinux policy for dhcpd doesn't support on commit scripts. For more details on on-commit scripts see: http://jpmens.net/2011/07/06/execute-a-script-when-isc-dhcp-hands-out-a-new-lease/ Version-Release number of selected component (if applicable): dhcp-4.2.5-42.el7 How reproducible: Steps to Reproduce: 1. Enable an on-commit script 2. check the audit log 3. there is no step 3 Actual results: type=AVC msg=audit(1453792866.181:11697): avc: denied { execute } for pid=3174 comm="dhcpd" name="myscript" dev="dm-0" ino=147660 scontext=system_u:system_r:dhcpd_t:s0 tcontext=unconfined_u:object_r:dhcp_etc_t:s0 tclass=file Expected results: A valid selinux file context for on commit scripts which allows execution, documented in dhcpd_selinux (8) Additional info: The samba reference policy provides a good example of what would be needed for dhcpd. optional_policy(` type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t) corecmd_shell_entry_type(samba_unconfined_script_t) role system_r types samba_unconfined_script_t; allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; unconfined_domain(samba_unconfined_script_t) tunable_policy(`samba_run_unconfined',` domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t) ',` can_exec(smbd_t, samba_unconfined_script_exec_t) ') ')
What is the usual location for such scripts?
There doesn't seem to be a default location, a subdir below /etc/dhcp would make sense I guess. I've opted for '/etc/dhcp/scripts' but am happy to change to a better option.
Let's ask Jiri.
+1 to something below /etc/dhcp/ We already have /etc/dhcp/dhclient.d/ for dhclient-related scripts, so my first thought was /etc/dhcp/dhcpd.d/ But then I realized that the execute() statement can be used not only with dhcpd but with dhclient as well, because the RELNOTES says: "This permits dhcpd or dhclient to execute a named external program with command line arguments specified from other configuration language." Also as dhclient-script(8) says the additional dhclient-{enter/exit/up/down}-hooks scripts that further extend dhclient-script's functionality should be placed into /etc/dhcp/ So maybe just the /etc/dhcp/ without any additional subdirectory ?
Scripts should be labeled as bin_t located in /etc/dhcp. Sten, did you get AVCs for your case?
The AVC I got is shown in my initial report: type=AVC msg=audit(1453792866.181:11697): avc: denied { execute } for pid=3174 comm="dhcpd" name="myscript" dev="dm-0" ino=147660 scontext=system_u:system_r:dhcpd_t:s0 tcontext=unconfined_u:object_r:dhcp_etc_t:s0 tclass=file However this does show that the file is labelled as dhcp_etc_t, which is the default for /etc/dhcp. When I change the context to bin_t the on-commit script indeed works. > chcon -t bin_t /etc/dhcp/myscript.py > ls -aZ /etc/dhcp/myscript.py -rwxr-xr-x. root root unconfined_u:object_r:bin_t:s0 /etc/dhcp/myscript.py Is this recommended type for dhcp script documented somewhere? Should it be?
OK, O overlooked. The problem is /etc/dhcp is a directory for config files. It would be great to have subdir for these scripts. We can define a generic labeling for /etc/dhcp to have bin_t as a default label and have more specific labels for config files. But I don't see it as a good solution.
Then either '/etc/dhcp/scripts' (per comment #3) or '/etc/dhcp/on-commit-scripts'. Sten, which one do you like more ?
/etc/dhcp/scripts would make the most sense. Running scripts is possible for expiry and release as well, so hard-coding "commit" in the directory name doesn't really seem logical. https://deepthought.isc.org/article/AA-01094/0/Adding-support-for-on-commit-on-expire-and-on-release-statements-in-DHCPv6.html
(In reply to Sten Spans from comment #10) > /etc/dhcp/scripts would make the most sense. > > Running scripts is possible for expiry and release as well, so hard-coding > "commit" in the directory name doesn't really seem logical. > > https://deepthought.isc.org/article/AA-01094/0/Adding-support-for-on-commit- > on-expire-and-on-release-statements-in-DHCPv6.html Ok do you need a bug?
I'll add bin_t label for /etc/dhcp/scripts. Jiri, what is state of this issue from your side? Thank you.
Pavel Simerda is the new owner of DHCP component.
(In reply to Lukas Vrabec from comment #12) > I'll add bin_t label for /etc/dhcp/scripts. OK > Jiri, what is state of this issue from your side? I haven't changed anything in dhcp. Pavel, I think we should add the /etc/dhcp/scripts/ with just README saying that it's a directory for on-commit scripts.
I added label for it. From selinux-policy side is issue fixed.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2283.html