Description of problem: When dhcpd starts it logs the following selinux messages to journal: python3[6167]: SELinux is preventing dhcpd from using the fowner capability. /var/log/audit/audit.log contains lines as follows: type=AVC msg=audit(1457447826.751:1446): avc: denied { fowner } for pid=6162 comm="dhcpd" capability=3 scontext=system_u:system_r:dhcpd_t:s0 tcontext=system_u:system_r:dhcpd_t:s0 tclass=capability permissive=0 I don't know if dhcpd needs this capability. Please can someone check this, and ether reassign this bug report to selinux-policy-targeded to let them change the policy, or change (patch) dhcpd in a way that it doesn't request this capability (or drop the cabability when dhcpd drops its privileges). I have downloaded the source rpm but I couldn't identify the code which causes the error message. Even if dhcpd seems to work, error messages are irritating system administrators. Thanks in advance. Version-Release number of selected component (if applicable): kernel-4.4.3-300.fc23.x86_64 selinux-policy-3.13.1-158.9.fc23.noarch selinux-policy-targeted-3.13.1-158.9.fc23.noarch How reproducible: Always Steps to Reproduce: 1. Install dhcp-server. 2. systemctl start dhcpd 3. journalctl -e -u dhcpd Actual results: Error message as written above. Expected results: No error message.
I don't see such avc here. Would it be possible to get more details about it - like what file it tries to touch (if I understand the 'fowner' correctly) ? The only idea I have is that it has something to do with https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commitdiff;h=7a6c9368c9a507ebe1464609b1c1d1ba88423b02 but this upstream commit just merged a patch (well, not exactly) we had had in Fedora for some time.
Created attachment 1134312 [details] Messages in journal after restarting dhcpd.service I don't know how to cause dhcpd to output more detailed debugging information. I attach the output of journalctl regarding to restart of dhcpd.service. I will also attach a listing of files with may be belong to dhcpd.
Created attachment 1134313 [details] List of files that may be relevant to dhcpd
Created attachment 1134315 [details] List of files that may be relevant to dhcpd, with fcontext information
Thanks, I meant something like using 'sealert' https://docs.fedoraproject.org/en-US/Fedora/11/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-sealert_Messages.html
Created attachment 1134455 [details] Output of sealert -l 76c0e459-18af-4e63-adf3-1b2476df79b8 The output of sealert isn't really helpful. You find it in the attachment.
Created attachment 1134456 [details] Output of "grep dhcpd /var/log/audit/audit.log | audit2allow -m dhcpd-fowner"
Created attachment 1135665 [details] SELinux alert including SYSCALL line In case it might help, here is the message I got from setroubleshoot. It contains a type=SYSCALL audit line in addition to what already is in the sealert output above. That line says dhcpd was trying to do "link" when triggering this alert. (But I don't know any way to know now which file it was trying to link.) My environment: kernel-4.4.4-301.fc23.x86_64 selinux-policy-targeted-3.13.1-158.4.fc23.noarch dhcp-server-4.3.3-8.P1.fc23.x86_64
OK, I can see a link call in the code where dhcpd makes backup of leases db: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=blob;f=server/db.c;hb=HEAD#l1216 However it's been there for a long time. To SELinux guys: can we allow dhcpd to use the fowner capability ?
Are we talking about files in /var/lib/dhcpd? If so, why would a link() call there require anything special? The directory and all files are owned by dhcpd. According to http://selinuxproject.org/page/ObjectClassesPerms the fowner permission means Override all file owner requirements (e.g. for chmod, setxattr) except where fsetid applies. Something looks strange, doesn't it?
I see this as well. If there's any information I can provide that will be helpful, let me know. This is on Fedora 23: dhcp-server-4.3.3-9.P1.fc23.x86_64
*** Bug 1343682 has been marked as a duplicate of this bug. ***
*** Bug 1317944 has been marked as a duplicate of this bug. ***
I see this on F24: audit[1200]: AVC avc: denied { fowner } for pid=1200 comm="dhcpd" capability=3 scontext=system_u:system_r:dhcpd_t:s0 tcontext=system_u:system_r:dhcpd_t:s0 tclass=capability permissive=1
still an issue on Fedora 24. I've just updated headless router/nas to F24 and got unwanted entertainment from fixing it. I think this is quite important use case and this bug should have higher priority.
Description of problem: Rebooted the computer... Version-Release number of selected component: selinux-policy-3.13.1-158.21.fc23.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.6.6-200.fc23.x86_64 type: libreport
I love how bug 1317944 and bug 1343682 (confirmed in F24) were marked as duplicates of this one (while this one affects F23 only, yay! Let's close it as WONTFIX/CURRENTRELEASE in 3 months!) after half a year of having 20 different people reporting those other bugs. You guys are really good at limiting the apparent impact of your bugs, but one has to wonder... why would you rather spend time on bugzilla instead of inserting a one-liner rule in the selinux policy? Makes no sense to my unarmed eye :/ (I mean, if this was anything harder than a one-liner, surely there would be a comment here and upstream bug reference, no?)
Would this just be a matter of changing: + allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot }; to: + allow dhcpd_t self:capability { chown dac_override fowner setgid setuid sys_chroot }; in policy-rawhide-contrib.patch?
This message is a reminder that Fedora 23 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 23. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '23'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 23 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
This happens in F24 too.
This also applies to version 25. In my case, I created a module to not audit this message, since journalctl isn't showing any error, and dhcpd isn't displaying any issues in functionality, without this capability allowed. I imagine dhcpd wants fowner to fix user errors in permissions and such, but if it doesn't need it, maybe this can be integrated into the dhcpd policies. module dhcpd-nofowner 1.0; require { type dhcpd_t; class capability fowner; } #============= dhcpd_t ============== dontaudit dhcpd_t self:capability fowner;
This is resolved/duplicated in bug #1409963
This message is a reminder that Fedora 24 is nearing its end of life. Approximately 2 (two) weeks from now Fedora will stop maintaining and issuing updates for Fedora 24. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '24'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 24 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 24 changed to end-of-life (EOL) status on 2017-08-08. Fedora 24 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.