Bug 158502 - dhclient-script clears resolv.conf
dhclient-script clears resolv.conf
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: dhcp (Show other bugs)
4
i686 Linux
medium Severity low
: ---
: ---
Assigned To: Jason Vas Dias
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-05-22 23:04 EDT by Masakazu Takahashi
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-10-13 17:16:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
/var/log/audit/audit.log from target machine (4.72 KB, text/plain)
2005-09-02 18:45 EDT, Laurie Reeves
no flags Details

  None (edit)
Description Masakazu Takahashi 2005-05-22 23:04:10 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)

Description of problem:
First I set IP address to be obtained automatically by DHCP, and I tried to change it to staticaally IP address from system-config-network. Then, resolv.conf is cleared.


Version-Release number of selected component (if applicable):
system-config-network-1.3.26-1

How reproducible:
Always

Steps to Reproduce:
1. Run system-config-network
2. Select NIC in "Devices"
3. Click "Edit" button
4. Click "Statically set IP addresses" and input parameters
5. Click "Stop" and "Start" button to restart NIC


Actual Results:  /etc/resolv.conf and /etc/sysconfig/networking/profiles/default/resolv.conv is cleared.  They contain only one "\n".


Expected Results:  "nameserver XXX.XXX.XXX.XXX" will be written in resolv.conf.

Additional info:

After I removed NCProfileList.pyc and NCProfileList.pyo from /usr/share/system-config-network/netconfpkg, system-config-network did not clear resolv.conf.  So I suppose these NCProfileList.pyc or NCProfileList.pyo may be obsolete.
Comment 1 Harald Hoyer 2005-07-08 06:10:23 EDT
Haven't seen this bugreport from others... NCProfileList.pyc and
NCProfileList.pyo are the python compiled versions of  NCProfileList.py ... so
something really went wrong here.
Comment 2 Laurie Reeves 2005-09-01 12:42:20 EDT
Using FC4 final: Deleting those files didn't work for me. I found selinux errors
(permission denied writing to /etc/resolv.conf) in /var/log/messages, so I
disabled selinux and now it works. I tracked the problem to the call to
/sbin/dhclient in /etc/sysconfig/network-scripts/ifup-eth, line 176. The
/etc/resolv.conf file contains old content before call, and file is empty after
call.

More info: System installed via kickstart with a small set of packages ~450.
Kickstart set to use dhcp, empty /etc/resolv.conf after reboot even though
/var/lib/dhcp/dhclient-eth0.leases contains the correct information. I
reproduced this every time on six (6) installs. A full install (nearly every
package) does not have this problem, I assume the problem could be solved by
adding some package, but which one?
Comment 3 Harald Hoyer 2005-09-02 03:38:49 EDT
$ rpm -qf /sbin/dhclient-script
dhclient-3.0.2-12
Comment 4 Jason Vas Dias 2005-09-02 10:26:29 EDT
There appear to be two issues associated with this bug report:

1.RE: Changing from DHCP to Static configuration and resolv.conf is cleared:

  This is correct behavior, if you did not specify any static name server
  and domain / search path parameters.
  If you do not wish the resolver parameters to be specified by DHCP,
  then you must specify them manually.

  When dhclient is stopped for an interface, it removes the information
  it wrote to resolv.conf - this is what we want it to do, as when dhclient
  is stopped and the DHCP interface is brought down, any configuration
  parameters written by dhclient are invalid.
  
  Did you specify the name server and  domain / search path parameters
  in system-config-network when switching from DHCP to Static ? 

  If so, then this could be a problem with system-config-network: if it 
  writes the newly specified static parameters to resolv.conf and THEN
  stops dhclient, the new parameters written would be lost. It must
  stop dhclient (move from DHCP to static configuration) and then
  write the resolv.conf parameters.

  If not, then this is 'NOTABUG': as no static resolver parameters were 
  entered, and you are moving to a static configuration, the resolv.conf 
  file should be empty.

2. SELinux policy for dhclient incorrect after kickstart install:
 > I found selinux errors (permission denied writing to /etc/resolv.conf)
 > in /var/log/messages
   Could you please paste examples of these messages into this bug report ?
 
 > System installed via kickstart with a small set of packages ~450. ...
 > A full install (nearly every package) does not have this problem
   Was 'selinux-policy-targeted' one of the missing packages ?
  
   Ensure your kickstart script includes at least these selinux packages
   and their dependencies:
   selinux-policy-targeted
   policycoreutils
   libselinux
   libsepol
   checkpolicy

   It might also be necessary to touch the /.autorelabel file after kickstart
   installation to ensure the newly installed filesystem is correctly labelled -
   after relabelling the first time, no subsequent relabels should be required.
   
   If you can reproduce the problem with all the above packages installed
   and the filesystem correctly labelled (after touching /.autorelabel and
   rebooting), then please append the /var/log/audit/audit.log file to this
   bug report and the output of 
      # ls -lZ /etc/resolv.* /sbin/dhc*
Comment 5 Laurie Reeves 2005-09-02 18:45:54 EDT
Created attachment 118411 [details]
/var/log/audit/audit.log from target machine
Comment 6 Laurie Reeves 2005-09-02 19:28:39 EDT
The package "checkpolicy" wasn't installed. Neither was "audit".

Output from /var/log/messages:

Sep  2 15:36:32 localhost kernel: eth0: network connection up using port A
Sep  2 15:36:32 localhost kernel:     speed:           100
Sep  2 15:36:32 localhost kernel:     autonegotiation: yes
Sep  2 15:36:32 localhost kernel:     duplex mode:     full
Sep  2 15:36:32 localhost kernel:     flowctrl:        symmetric
Sep  2 15:36:32 localhost kernel:     irq moderation:  disabled
Sep  2 15:36:32 localhost squid[2278]: Squid Parent: child process 2280 started
Sep  2 15:36:32 localhost kernel:     scatter-gather:  enabled
Sep  2 15:36:32 localhost kernel: audit(1125696987.492:2): avc:  denied  { write
} for  pid=2054 comm="cp" name="resolv.conf.predhclient" dev=hda8 ino=493579
scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_t tclass=file
Sep  2 15:36:32 localhost kernel: audit(1125696987.492:3): avc:  denied  {
unlink } for  pid=2054 comm="cp" name="resolv.conf.predhclient" dev=hda8
ino=493579 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_t
tclass=file
Sep  2 15:36:32 localhost kernel: audit(1125696987.510:4): avc:  denied  {
getattr } for  pid=2055 comm="mktemp" name="/" dev=hda5 ino=2
scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:file_t tclass=dir
Sep  2 15:36:32 localhost kernel: audit(1125696987.577:5): avc:  denied  {
rename } for  pid=2064 comm="mv" name="yp.conf" dev=hda8 ino=493602
scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_t tclass=file
Sep  2 15:36:32 localhost kernel: audit(1125696987.586:6): avc:  denied  { write
} for  pid=2017 comm="dhclient-script" name="yp.conf" dev=hda8 ino=493602
scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_t tclass=file
Sep  2 15:36:32 localhost kernel: audit(1125696987.586:7): avc:  denied  { write
} for  pid=2017 comm="dhclient-script" name="yp.conf" dev=hda8 ino=493602
scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_t tclass=file
Sep  2 15:36:32 localhost kernel: audit(1125696987.594:8): avc:  denied  {
append } for  pid=2017 comm="dhclient-script" name="yp.conf" dev=hda8 ino=493602
scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_t tclass=file
Sep  2 15:36:32 localhost kernel: audit(1125696987.594:9): avc:  denied  {
append } for  pid=2017 comm="dhclient-script" name="yp.conf" dev=hda8 ino=493602
scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:etc_t tclass=file
Sep  2 15:36:32 localhost kernel: audit(1125696987.837:10): avc:  denied  { read
} for  pid=2117 comm="syslogd" name="hosts" dev=hda8 ino=493683
scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:etc_runtime_t
tclass=file
Sep  2 15:36:32 localhost kernel: NET: Registered protocol family 10
Sep  2 15:36:32 localhost kernel: Disabled Privacy Extensions on device c03e6a20(lo)
Sep  2 15:36:32 localhost kernel: IPv6 over IPv4 tunneling driver


Installed chkpolicy and audit, enabled selinux again, touched /.autorelabel,
rebooted. Problem persists, but now this in /var/log/messages:

Sep  2 16:44:16 localhost kernel: eth0: network connection up using port A
Sep  2 16:44:16 localhost kernel:     speed:           100
Sep  2 16:44:16 localhost kernel:     autonegotiation: yes
Sep  2 16:44:16 localhost kernel:     duplex mode:     full
Sep  2 16:44:16 localhost kernel:     flowctrl:        symmetric
Sep  2 16:44:16 localhost kernel:     irq moderation:  disabled
Sep  2 16:44:16 localhost kernel:     scatter-gather:  enabled
Sep  2 16:44:16 localhost kernel: audit(1125701053.273:2): avc:  denied  {
getattr } for  pid=2051 comm="mktemp" name="/" dev=hda5 ino=2
scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:file_t tclass=dir
Sep  2 16:44:16 localhost kernel: audit(1125701053.591:3): avc:  denied  { read
} for  pid=2114 comm="syslogd" name="hosts" dev=hda8 ino=493685
scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:etc_runtime_t
tclass=file
Sep  2 16:44:16 localhost kernel: NET: Registered protocol family 10
Sep  2 16:44:16 localhost kernel: Disabled Privacy Extensions on device c03e6a20(lo)
Sep  2 16:44:16 localhost kernel: IPv6 over IPv4 tunneling driver

The log file /var/log/audit/audit.log is attached above.

Here is the output of that command:

# ls -lZ /etc/resolv.* /sbin/dhc*
-rw-r--r--  root     root     system_u:object_r:net_conf_t     /etc/resolv.conf
-rw-r--r--  root     root     system_u:object_r:net_conf_t    
/etc/resolv.conf.predhclient
-rwxr-xr-x  root     root     system_u:object_r:dhcpc_exec_t   /sbin/dhclient
-rwxr-xr-x  root     root     system_u:object_r:dhcpc_exec_t   /sbin/dhclient-script


Comment 7 Jason Vas Dias 2005-09-02 21:44:47 EDT
From the looks of the above output, it looks like dhclient has succeeded -
both resolv.conf and resolv.conf.predhclient exist with the correct SELinux
context - or are they from different sessions ? 

Please confirm that the new resolv.conf still has the incorrect content.
Try "ifdown; rm -rf /etc/resolv.*; ifup;" - what do the /etc/resolv.*
files look like then - are the resolv.conf contents still bad ?

I don't like the look of this AVC message:

audit(1125701053.273:2): avc:  denied  { getattr } for  pid=2051 \
  comm="mktemp" name="/" dev=hda5 ino=2 \
  scontext=system_u:system_r:dhcpc_t 
  tcontext=system_u:object_r:file_t tclass=dir

dhclient script always creates the new resolv.conf first in the file
named by the output of the command '/bin/mktemp /tmp/XXXXXX'.

This AVC definitely cannot be reproduced on my rawhide system, with
selinux-policy-targeted-1.25.4.11 .

The latest update for FC-4 is selinux-policy-targeted-1.25.4-10 -
what version do you have installed ? You should ensure that you have
all the latest FC-4 upgrades installed, including the kernel.

The dhclient AVC shows that mktemp, when run by dhclient with context dhcpc_t, 
cannot get the SELinux attributes of the first component of the path 
'/tmp/XXXXXX' -ie. '/', the root filesystem.  This should have the context 
'system_u:object_r:root_t', not 'system_u:object_r:file_t', as it would
appear the AVC above shows it has. 

The AVC that follows the dhclient AVC shows that syslogd is not allowed 
to read /etc/hosts (so network logging is disabled) because /etc/hosts 
has context  system_u:object_r:etc_runtime_t - on my system, it has 
system_u:object_r:etc_t .  

Did the relabel take effect ? ie. after touching /.autorelabel and rebooting,
did you see the message 
    *** Warning -- SELinux relabel is required. ***
    *** Relabeling could take a very long time, ***
when you booted up ? Was this process interrupted in any way?

Note that if you ever run with the kernel boot argument 'selinux=no', 
(SELinux disabled) you MUST autorelabel to run without 'selinux=no'. 
It is much better to use the 'selinux=permissive' boot argument to
disable selinux violations. 

If you are sure that you have all the latest versions of all packages
installed, and still have the problem, please try the following commands,
as root:
  # echo '#!/bin/bash
mktemp /tmp/XXXXXX;
[ $? -ne 0 ] && echo failed;
' > /tmp/dhct.sh
  # chmod +x /tmp/dhct.sh
  # chcon system_u:object_r:dhcpc_exec_t /tmp/dhct.sh
  # /tmp/dhct.sh
The last command should NOT produce the output 'failed' - it does not for me.
If it does, then you have a bad SELinux installation and need help from the
SELinux maintainer (dwalsh@redhat.com), who has also been CC'ed on this bug.
Comment 8 Jason Vas Dias 2005-10-13 17:16:08 EDT
I cannot reproduce this bug on any FC-4 or Rawhide system, and
no further information has been forthcoming - perhaps the previous
comments helped resolve the issue - closing as "NOTABUG".
If this problem is still an issue for you, please supply the further
information requested in the previous comments and re-open this bug.

Note You need to log in before you can comment on or make changes to this bug.