Bug 1554390 - SELinux is preventing dnsmasq from using the 'dac_override' capabilities.
Summary: SELinux is preventing dnsmasq from using the 'dac_override' capabilities.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: dnsmasq
Version: 28
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Petr Menšík
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:3e41dc4d6900af7eae978f5b9fb...
: 1585480 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-03-12 15:22 UTC by sedrubal
Modified: 2018-09-10 09:03 UTC (History)
23 users (show)

Fixed In Version: dnsmasq-2.79-3.fc28 dnsmasq-2.79-3.fc27
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-07-05 18:38:07 UTC
Type: ---


Attachments (Terms of Use)

Description sedrubal 2018-03-12 15:22:51 UTC
Description of problem:
Share a connection using network manager violates this se rule when a client tries to connect using dhcp
SELinux is preventing dnsmasq from using the 'dac_override' capabilities.

*****  Plugin dac_override (91.4 confidence) suggests   **********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.

*****  Plugin catchall (9.59 confidence) suggests   **************************

If you believe that dnsmasq should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq
# semodule -X 300 -i my-dnsmasq.pp

Additional Information:
Source Context                system_u:system_r:dnsmasq_t:s0
Target Context                system_u:system_r:dnsmasq_t:s0
Target Objects                Unknown [ capability ]
Source                        dnsmasq
Source Path                   dnsmasq
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.1-10.fc28.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 4.16.0-0.rc3.git0.1.fc28.x86_64 #1
                              SMP Mon Feb 26 15:15:43 UTC 2018 x86_64 x86_64
Alert Count                   2
First Seen                    2018-03-12 16:20:42 CET
Last Seen                     2018-03-12 16:21:09 CET
Local ID                      7d2fddc9-c33c-48fb-93a8-bdbf6fdd29b1

Raw Audit Messages
type=AVC msg=audit(1520868069.54:1494): avc:  denied  { dac_override } for  pid=28858 comm="dnsmasq" capability=1  scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:system_r:dnsmasq_t:s0 tclass=capability permissive=1


Hash: dnsmasq,dnsmasq_t,dnsmasq_t,capability,dac_override

Version-Release number of selected component:
selinux-policy-3.14.1-10.fc28.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.16.0-0.rc3.git0.1.fc28.x86_64
type:           libreport

Comment 1 Lukas Vrabec 2018-03-12 16:07:13 UTC
Hi, 

It looks like some dnsqmasq file has too tight permissions, could you please look on it? For more info see:
https://danwalsh.livejournal.com/34903.html

Thanks,
Lukas.

Comment 2 Petr Menšík 2018-03-15 18:26:26 UTC
Is it know what path violated the rule? Dnsmasq still uses root rights for writing leases into /var/lib/dnsmasq. Is that the problem?

Comment 3 sedrubal 2018-03-17 16:51:42 UTC
I can not reliable reproduce this denial and after hours of debugging I still don't understand SELinux.

/var/lib/dnsmasq/dnsmasq.leases is: 
-rw-r--r-- root root system_u:object_r:dnsmasq_lease_t:s0 

There are some dnsmasq processes running as root and some as dnsmasq.

Everything works as expected but sometimes this nasty seapplet pops up...

If you can't reproduce, you can close this issue.

Comment 4 Jonas Ådahl 2018-04-12 14:16:05 UTC
Is this the same issue as one that ends up with dnsmasq being unable to open or create /var/lib/dnsmasq/dnsmasq.leases? What I see in my journal is

audit[389]: AVC avc:  denied  { dac_override } for  pid=389 comm="dnsmasq" capability=1  scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:system_r:dnsmasq_t:s0 tclass=capability ...
dnsmasq[389]: cannot open or create lease file /var/lib/dnsmasq/dnsmasq.leases: Permission denied

If so, my reproduction steps are:

1. Open nm-connection-editor
2. Add a new ethernet connection
3. Select "share to other computers" in both IPv4 and IPv6.
4. Select the new ethernet connection

Doing so will trigger this error. Doing "setenforce 0" enables dnsmasq to start again.

Comment 5 Adam Williamson 2018-05-03 20:40:31 UTC
This denial appears to be preventing dnsmasq.service from starting at all in F28, the way we try to use it in openQA tests:

May 03 13:32:46 support.domain.local systemd[1]: Started DNS caching server..
May 03 13:32:46 support.domain.local audit[927]: AVC avc:  denied  { dac_override } for  pid=927 comm="dnsmasq" capability=1  scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:system_r:dnsmasq_t:s0 tclass=capability permissive=0
May 03 13:32:46 support.domain.local dnsmasq[927]: dnsmasq: cannot open or create lease file /var/lib/dnsmasq/dnsmasq.leases: Permission denied
May 03 13:32:46 support.domain.local dnsmasq[927]: cannot open or create lease file /var/lib/dnsmasq/dnsmasq.leases: Permission denied
May 03 13:32:46 support.domain.local dnsmasq[927]: FAILED to start up
May 03 13:32:46 support.domain.local systemd[1]: dnsmasq.service: Main process exited, code=exited, status=3/NOTIMPLEMENTED
May 03 13:32:46 support.domain.local systemd[1]: dnsmasq.service: Failed with result 'exit-code'.

The way we're using it is basically to create a config file like this:

domain=domain.local
dhcp-range=10.0.2.112,10.0.2.199
dhcp-option=option:router,10.0.2.2

and then start dnsmasq.service. This seems to be failing reliably on F28.

Comment 6 Mach 2018-05-18 05:31:12 UTC
Version-Release number of selected component:
selinux-policy-3.14.1-24.fc28.noarch

Additional info:
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.16.8-300.fc28.x86_64
type:           libreport

Comment 7 Mach 2018-05-18 06:01:14 UTC
(In reply to Mach from comment #6)
> Version-Release number of selected component:
> selinux-policy-3.14.1-24.fc28.noarch
> 
> Additional info:
> reporter:       libreport-2.9.5
> hashmarkername: setroubleshoot
> kernel:         4.16.8-300.fc28.x86_64
> type:           libreport


我是在创建WiFi热点时,发生的这个错误。我使用Fedora28-MATE。

按报告中的提示的操作后,可以正常使用 WiFi热点 功能。
# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq
# semodule -X 300 -i my-dnsmasq.pp

Comment 8 Mach 2018-05-18 06:05:00 UTC
(In reply to Mach from comment #7)
> (In reply to Mach from comment #6)
> > Version-Release number of selected component:
> > selinux-policy-3.14.1-24.fc28.noarch
> > 
> > Additional info:
> > reporter:       libreport-2.9.5
> > hashmarkername: setroubleshoot
> > kernel:         4.16.8-300.fc28.x86_64
> > type:           libreport
> 


when I created the WiFi hotspot, the mistake that happened. 
I use Fedora28-MATE.


According to the prompt in the report, WiFi hotspots can be used normally.
# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq
# semodule -X 300 -i my-dnsmasq.pp

Comment 9 Alan Hamilton 2018-05-27 20:08:43 UTC
dac_override failure means that file/directory permissions (rwx) are being enforced against the root user. This seems to be new in F28.

The dnsmasq.leases file is owned by root and writable by it so that's not a problem. I think the issue is the parent directory:

# ls -ld /var/lib/dnsmasq
drwxr-xr-x. 2 dnsmasq dnsmasq 4096 Mar 22 10:35 /var/lib/dnsmasq/

If it's trying to rename and rewrite the file this will fail because root does not have write permissions on the directory.

Comment 10 Petr Menšík 2018-07-02 18:25:19 UTC
It was broken by commit [1]. Aparently dnsmasq never writes into that directory as dnsmasq user, but leases are written always from forked helper running under root. We missed that fact before.

Because libvirt expects dhcp-script is running under root, that part still has to run under root. Separate drop of capabilities and setuid would be nice also for helper process. But it might break different configurations, postponing later.

[1] https://src.fedoraproject.org/rpms/dnsmasq/c/c81a33501e0271ed3f83a46215f4f0b702c0f1b8?branch=master

Comment 11 Fedora Update System 2018-07-02 18:44:36 UTC
dnsmasq-2.79-3.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-31974dc1e0

Comment 12 Fedora Update System 2018-07-02 18:45:28 UTC
dnsmasq-2.79-3.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-b287866a1f

Comment 13 Lukas Vrabec 2018-07-03 07:22:45 UTC
*** Bug 1585480 has been marked as a duplicate of this bug. ***

Comment 14 Fedora Update System 2018-07-03 14:01:13 UTC
dnsmasq-2.79-3.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-31974dc1e0

Comment 15 Fedora Update System 2018-07-03 17:54:45 UTC
dnsmasq-2.79-3.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-b287866a1f

Comment 16 Fedora Update System 2018-07-05 18:38:07 UTC
dnsmasq-2.79-3.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2018-07-31 17:09:47 UTC
dnsmasq-2.79-3.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 18 nuno ferreira 2018-09-10 09:03:20 UTC
Description of problem:
network manager starting eth interface

Version-Release number of selected component:
selinux-policy-3.14.1-40.fc28.noarch

Additional info:
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.17.19-200.fc28.x86_64
type:           libreport


Note You need to log in before you can comment on or make changes to this bug.