1718701 – Policy blocks dhcpd from reading rndc.key

Bug 1718701 - Policy blocks dhcpd from reading rndc.key

Summary: Policy blocks dhcpd from reading rndc.key

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	30
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-06-10 01:02 UTC by Michael Cronenworth
Modified:	2019-06-20 02:54 UTC (History)
CC List:	6 users (show)
Fixed In Version:	selinux-policy-3.14.3-39.fc30
Clone Of:
Environment:
Last Closed:	2019-06-20 02:54:48 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Michael Cronenworth 2019-06-10 01:02:27 UTC

Description of problem:
I upgraded from Fedora 29 to 30. After the upgrade dhcpd was not starting.

setroubleshoot[5744]: SELinux is preventing dhcpd from map access on the file /etc/rndc.key

# ls -lZ /etc/rndc.key 
-rw-r-----. 1 root named system_u:object_r:dnssec_t:s0 112 Jun  9 19:54 /etc/rndc.key


Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-37.fc30.noarch

How reproducible:
Always


Steps to Reproduce:
1. Install dhcp-server
2. Add a dynamic dns key (rndc key)
3. systemctl start dhcpd

Actual results:
Fails to start


Expected results:
DHCPd Starts

Additional info:
SELinux recommends to turn on the following bool:
setsebool -P domain_can_mmap_files 1

Setting this bool does allow dhcpd to start, but I don't think that is a proper fix.

The dhcpd versions between Fedora 29 and 30 are the same. It's the SELinux policy that has changed.

Comment 1 Lukas Vrabec 2019-06-10 16:00:13 UTC

Hi, 

Could you please reproduce the scenario and then attach output of:

# ausearch -m AVC -ts recent 

Thanks,
Lukas.

Comment 2 Michael Cronenworth 2019-06-11 13:23:06 UTC

# ausearch -m AVC -ts recent
----
time->Tue Jun 11 08:22:34 2019
type=AVC msg=audit(1560259354.598:1807): avc:  denied  { map } for  pid=18541 comm="dhcpd" path="/etc/rndc.key" dev="dm-0" ino=53871458 scontext=system_u:system_r:dhcpd_t:s0 tcontext=system_u:object_r:dnssec_t:s0 tclass=file permissive=0

Comment 3 Lukas Vrabec 2019-06-12 15:48:02 UTC

commit e8298ee57267c9f3d4592b8feb76fc81fffbe155 (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Wed Jun 12 17:47:41 2019 +0200

    Allow dhcpd_t domain to mmap dnssec_t files BZ(1718701)

Comment 4 Fedora Update System 2019-06-18 11:32:04 UTC

FEDORA-2019-9da5c35472 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-9da5c35472

Comment 5 Fedora Update System 2019-06-19 01:02:57 UTC

selinux-policy-3.14.3-39.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-9da5c35472

Comment 6 Fedora Update System 2019-06-20 02:54:48 UTC

selinux-policy-3.14.3-39.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.