This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1315802 - SELinux is preventing dhcpd from using the fowner capability
SELinux is preventing dhcpd from using the fowner capability
Status: CLOSED EOL
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
24
Unspecified Linux
unspecified Severity low
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
: 1317944 1343682 (view as bug list)
Depends On:
Blocks: 1358485
  Show dependency treegraph
 
Reported: 2016-03-08 10:55 EST by Edgar Hoch
Modified: 2017-08-08 09:06 EDT (History)
14 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-08 09:06:40 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Messages in journal after restarting dhcpd.service (3.35 KB, text/plain)
2016-03-08 16:46 EST, Edgar Hoch
no flags Details
List of files that may be relevant to dhcpd (8.07 KB, text/plain)
2016-03-08 16:47 EST, Edgar Hoch
no flags Details
List of files that may be relevant to dhcpd, with fcontext information (13.44 KB, text/plain)
2016-03-08 16:47 EST, Edgar Hoch
no flags Details
Output of sealert -l 76c0e459-18af-4e63-adf3-1b2476df79b8 (1.73 KB, text/plain)
2016-03-09 06:03 EST, Edgar Hoch
no flags Details
Output of "grep dhcpd /var/log/audit/audit.log | audit2allow -m dhcpd-fowner" (157 bytes, text/plain)
2016-03-09 06:04 EST, Edgar Hoch
no flags Details
SELinux alert including SYSCALL line (2.06 KB, text/plain)
2016-03-12 15:23 EST, Göran Uddeborg
no flags Details

  None (edit)
Description Edgar Hoch 2016-03-08 10:55:45 EST
Description of problem:
When dhcpd starts it logs the following selinux messages to journal:

python3[6167]: SELinux is preventing dhcpd from using the fowner capability.

/var/log/audit/audit.log contains lines as follows:

type=AVC msg=audit(1457447826.751:1446): avc:  denied  { fowner } for  pid=6162 comm="dhcpd" capability=3  scontext=system_u:system_r:dhcpd_t:s0 tcontext=system_u:system_r:dhcpd_t:s0 tclass=capability permissive=0


I don't know if dhcpd needs this capability. Please can someone check this, and ether reassign this bug report to selinux-policy-targeded to let them change the policy, or change (patch) dhcpd in a way that it doesn't request this capability (or drop the cabability when dhcpd drops its privileges).

I have downloaded the source rpm but I couldn't identify the code which causes the error message.

Even if dhcpd seems to work, error messages are irritating system administrators.

Thanks in advance.


Version-Release number of selected component (if applicable):
kernel-4.4.3-300.fc23.x86_64
selinux-policy-3.13.1-158.9.fc23.noarch
selinux-policy-targeted-3.13.1-158.9.fc23.noarch


How reproducible:
Always

Steps to Reproduce:
1. Install dhcp-server.
2. systemctl start dhcpd
3. journalctl -e -u dhcpd

Actual results:
Error message as written above.

Expected results:
No error message.
Comment 1 Jiri Popelka 2016-03-08 12:19:17 EST
I don't see such avc here. Would it be possible to get more details about it - like what file it tries to touch (if I understand the 'fowner' correctly) ?

The only idea I have is that it has something to do with
https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commitdiff;h=7a6c9368c9a507ebe1464609b1c1d1ba88423b02
but this upstream commit just merged a patch (well, not exactly) we had had in Fedora for some time.
Comment 2 Edgar Hoch 2016-03-08 16:46 EST
Created attachment 1134312 [details]
Messages in journal after restarting dhcpd.service

I don't know how to cause dhcpd to output more detailed debugging information.

I attach the output of journalctl regarding to restart of dhcpd.service.

I will also attach a listing of files with may be belong to dhcpd.
Comment 3 Edgar Hoch 2016-03-08 16:47 EST
Created attachment 1134313 [details]
List of files that may be relevant to dhcpd
Comment 4 Edgar Hoch 2016-03-08 16:47 EST
Created attachment 1134315 [details]
List of files that may be relevant to dhcpd, with fcontext information
Comment 6 Edgar Hoch 2016-03-09 06:03 EST
Created attachment 1134455 [details]
Output of sealert -l 76c0e459-18af-4e63-adf3-1b2476df79b8

The output of sealert isn't really helpful. You find it in the attachment.
Comment 7 Edgar Hoch 2016-03-09 06:04 EST
Created attachment 1134456 [details]
Output of "grep dhcpd /var/log/audit/audit.log | audit2allow -m dhcpd-fowner"
Comment 8 Göran Uddeborg 2016-03-12 15:23 EST
Created attachment 1135665 [details]
SELinux alert including SYSCALL line

In case it might help, here is the message I got from setroubleshoot.  It contains a type=SYSCALL audit line in addition to what already is in the sealert output above.  That line says dhcpd was trying to do "link" when triggering this alert.  (But I don't know any way to know now which file it was trying to link.)

My environment:
kernel-4.4.4-301.fc23.x86_64
selinux-policy-targeted-3.13.1-158.4.fc23.noarch
dhcp-server-4.3.3-8.P1.fc23.x86_64
Comment 9 Jiri Popelka 2016-03-14 07:56:09 EDT
OK, I can see a link call in the code where dhcpd makes backup of leases db:
https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=blob;f=server/db.c;hb=HEAD#l1216
However it's been there for a long time.

To SELinux guys: can we allow dhcpd to use the fowner capability ?
Comment 10 Göran Uddeborg 2016-03-15 09:28:05 EDT
Are we talking about files in /var/lib/dhcpd?  If so, why would a link() call there require anything special?  The directory and all files are owned by dhcpd.  According to http://selinuxproject.org/page/ObjectClassesPerms the fowner permission means

Override all file owner requirements (e.g. for chmod, setxattr) except where fsetid applies.

Something looks strange, doesn't it?
Comment 11 Edward Kuns 2016-06-20 01:08:38 EDT
I see this as well.  If there's any information I can provide that will be helpful, let me know.  This is on Fedora 23:

dhcp-server-4.3.3-9.P1.fc23.x86_64
Comment 12 Jiri Popelka 2016-06-20 08:40:02 EDT
*** Bug 1343682 has been marked as a duplicate of this bug. ***
Comment 13 Jiri Popelka 2016-06-21 03:33:24 EDT
*** Bug 1317944 has been marked as a duplicate of this bug. ***
Comment 14 Anthony Messina 2016-07-17 15:55:07 EDT
I see this on F24:

audit[1200]: AVC avc:  denied  { fowner } for  pid=1200 comm="dhcpd" capability=3  scontext=system_u:system_r:dhcpd_t:s0 tcontext=system_u:system_r:dhcpd_t:s0 tclass=capability permissive=1
Comment 15 Michal Hlavinka 2016-08-18 16:28:30 EDT
still an issue on Fedora 24. I've just updated headless router/nas to F24 and got unwanted entertainment from fixing it.

I think this is quite important use case and this bug should have higher priority.
Comment 16 Leszek Matok 2016-08-24 18:08:13 EDT
Description of problem:
Rebooted the computer...

Version-Release number of selected component:
selinux-policy-3.13.1-158.21.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.6.6-200.fc23.x86_64
type:           libreport
Comment 17 Leszek Matok 2016-08-24 18:18:36 EDT
I love how bug 1317944 and bug 1343682 (confirmed in F24) were marked as duplicates of this one (while this one affects F23 only, yay! Let's close it as WONTFIX/CURRENTRELEASE in 3 months!) after half a year of having 20 different people reporting those other bugs.

You guys are really good at limiting the apparent impact of your bugs, but one has to wonder... why would you rather spend time on bugzilla instead of inserting a one-liner rule in the selinux policy? Makes no sense to my unarmed eye :/

(I mean, if this was anything harder than a one-liner, surely there would be a comment here and upstream bug reference, no?)
Comment 18 Yaakov Selkowitz 2016-09-20 17:13:46 EDT
Would this just be a matter of changing:

+  allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };

to:

+  allow dhcpd_t self:capability { chown dac_override fowner setgid setuid sys_chroot };

in policy-rawhide-contrib.patch?
Comment 19 Fedora End Of Life 2016-11-24 10:58:27 EST
This message is a reminder that Fedora 23 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 23. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '23'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 23 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 20 Paul Howarth 2016-11-24 13:35:14 EST
This happens in F24 too.
Comment 21 Kyle Marek 2017-01-04 01:56:20 EST
This also applies to version 25.

In my case, I created a module to not audit this message, since journalctl isn't showing any error, and dhcpd isn't displaying any issues in functionality, without this capability allowed.

I imagine dhcpd wants fowner to fix user errors in permissions and such, but if it doesn't need it, maybe this can be integrated into the dhcpd policies.


module dhcpd-nofowner 1.0;

require {
	type dhcpd_t;
	class capability fowner;
}

#============= dhcpd_t ==============
dontaudit dhcpd_t self:capability fowner;
Comment 22 Anthony Messina 2017-01-14 13:09:35 EST
This is resolved/duplicated in bug #1409963
Comment 23 Fedora End Of Life 2017-07-25 16:18:19 EDT
This message is a reminder that Fedora 24 is nearing its end of life.
Approximately 2 (two) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 24. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '24'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 24 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
Comment 24 Fedora End Of Life 2017-08-08 09:06:40 EDT
Fedora 24 changed to end-of-life (EOL) status on 2017-08-08. Fedora 24 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.