Bug 172027 - when client is connecting, dhcpd is dead.
when client is connecting, dhcpd is dead.
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-10-29 09:58 EDT by sangu
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-11-12 10:56:50 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
whe a client is connecting, this file is audit.log. (16.79 KB, text/plain)
2005-10-31 21:24 EST, sangu
no flags Details
$touch /.autorelabel (5.40 KB, text/plain)
2005-11-02 01:45 EST, sangu
no flags Details

  None (edit)
Description sangu 2005-10-29 09:58:54 EDT
Description of problem:
When client is connecting, dhcpd is dead.
$tail -f /var/log/messages
Oct 29 22:41:40 sangu dhcpd: dhcpd startup succeeded
Oct 29 22:41:40 sangu dhcpd: DHCPDISCOVER from 00:4f:4e:04:40:29 via eth1
Oct 29 22:41:41 sangu dhcpd: DHCPOFFER on 192.168.1.20 to 00:4f:4e:04:40:29
(client) via eth1

$tail -f /var/log/audit/audit.log

type=AVC msg=audit(1130593300.467:313): avc:  denied  { write } for  pid=4643
comm="dhcpd" name="dhcpd" dev=hda8 ino=163776 scontext=root:system_r:dhcpd_t:s0
tcontext=system_u:object_r:var_lib_t:s0 tclass=dir

$ls -Z /usr/sbin/dhcpd
-rwxr-xr-x  root     root     system_u:object_r:dhcpd_exec_t   /usr/sbin/dhcpd

Version-Release number of selected component (if applicable):
1.27.2-10


How reproducible:
always

Steps to Reproduce:
1. 
2.
3.
  
Actual results:


Expected results:


Additional info:
dhcp-3.0.3-10
Comment 1 Daniel Walsh 2005-10-31 09:54:07 EST
You have a labeling problem.

restorecon -R -v /var/lib should fix this.
Comment 2 sangu 2005-10-31 21:24:15 EST
Created attachment 120595 [details]
whe a client is connecting, this file is audit.log.

$restorecon -R -v /var/lib
$service dhcpd start
the client is connecting to dhcp server.
and dhcpd daemon is dead.
Comment 3 sangu 2005-11-02 01:45:17 EST
Created attachment 120631 [details]
$touch /.autorelabel

$touch /.autorelabel; reboot; dhcpd doesn't be dead.
but denied {write} fro dhcpd in audit.log
$tail -f /var/log/audit/audit.log

type=AVC msg=audit(1130912914.370:111): avc:  denied  { write } for  pid=1914
comm="dhcpd" name="dhcpd.leases" dev=hda8 ino=163111
scontext=system_u:system_r:dhcpd_t:s0 tcontext=system_u:object_r:var_lib_t:s0
tclass=file
[...]
Comment 4 sangu 2005-11-02 04:05:35 EST
after rebooting, bug 171876 happens again.
dhcpd cant' start and service dhcpd start is failed.

$restorecon -R -v /var/lib/dhcpd, dhcpd start

$service dhcpd start works well.

but bug 172027 happens again.

$tail -f /var/log/audit/audit.log
type=AVC msg=audit(1130921779.756:110): avc:  denied  { write } for  pid=2649
comm="dhcpd" name="dhcpd" dev=hda8 ino=163776 scontext=root:system_r:dhcpd_t:s0
tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1130921779.756:110): arch=40000003 syscall=5 success=no
exit=-13 a0=bfad2a18 a1=241 a2=1b4 a3=79dc2c items=1 pid=2649 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="dhcpd"
exe="/usr/sbin/dhcpd"
type=CWD msg=audit(1130921779.756:110):  cwd="/"
type=PATH msg=audit(1130921779.756:110): item=0
name="/var/lib/dhcpd/dhcpd.leases.1130921779" flags=310  inode=163776 dev=03:08
mode=040755 ouid=0 ogid=0 rdev=00:00
[...]

selinux-policy-targeted-1.27.2-11
Comment 5 Daniel Walsh 2005-11-03 09:20:54 EST
What is the file context of /var/lib/dhcp?

Jason any idea what is going on?
Comment 6 sangu 2005-11-03 09:40:55 EST
$ ls  -Z /var/lib/dhcp

-rw-r--r--  root     root     root:object_r:dhcpc_state_t      dhclient-eth0.leases
-rw-r--r--  root     root     root:object_r:dhcpc_state_t      dhclient-eth1.leases
-rw-r--r--  root     root     system_u:object_r:dhcpd_state_t  dhcpd.leases
-rw-r--r--  root     root     system_u:object_r:dhcpd_state_t  dhcpd.leases~
Comment 7 Daniel Walsh 2005-11-03 11:13:39 EST
 ls  -dZ /var/lib/dhcp
Comment 8 sangu 2005-11-03 11:16:06 EST
$ ls -dZ /var/lib/dhcp
drwxr-xr-x  root     root     system_u:object_r:dhcp_state_t   /var/lib/dhcp
Comment 9 Daniel Walsh 2005-11-03 11:21:11 EST
Ok and this is when dhcpd is failing?  What is dhcpd trying to writin in /var/lib
Comment 10 Jason Vas Dias 2005-11-03 12:03:03 EST
For  
Bug #169164 – 
    "separate /var/lib/{dhcpd,dhclient} directories for improved SELinux policy"
we made dhcpd write to /var/lib/dhcpd/dhcpd.leases, NOT /var/lib/dhcp .

What does ls '-ldZ /var/lib/dhcpd/{.,*}' say?

I've just retested this on a Rawhide system with
selinux-policy-targeted-1.27.2-9 in Enforcing mode and dhcp-3.0.3-10
and dhcpd starts up with no problems or AVCs.




Comment 11 sangu 2005-11-04 02:23:51 EST
dhcp-3.0.3-10, selinux-policy-targeted-1.27.2-11

Strange.

Doing $sudo /usr/sbin/dhcpd -cf /etc/dhcpd.conf, dhcpd works well.
and /va/lib/dhcpd/dhcpd.releases's file context is changed.

$ ls -Z /var/lib/dhcpd/dhcpd.leases
-rw-r--r--  root     root     root:object_r:var_lib_t         
/var/lib/dhcpd/dhcpd.leases

client is connecting, dhcpd isn't dead.


but 

$ sudo killall dhcpd
$ sudo service dhcpd start
 is failed
$ sudo restorecon -R -v /var/lib/dhcpd/
/sbin/restorecon reset /var/lib/dhcpd/dhcpd.leases context root:object_r:var_lib

$ ls -Z /var/lib/dhcpd/
-rw-r--r--  root     root     system_u:object_r:dhcpd_state_t  dhcpd.leases

$ sudo service dhcpd start
works well.
$ ps ax | dhcpd 
11282 ?        Ss     0:00 /usr/sbin/dhcpd
and client is connecting, dhcpd is dead.
Comment 12 Daniel Walsh 2005-11-04 09:36:36 EST
Ok it is a file context file and will be fixed tomorrow.

/var/lib/dhcpd should be labeled dhcpd_state_t

The reason it works when you run /usr/sbin/dhpcd is because it is not
transitioning to dhcpd_t when run directly.  It only transitions when run from
the init script.

Fixed in selinux-policy-targeted-1.27.2-14
Comment 13 sangu 2005-11-08 04:06:39 EST
can't start dhcpd in selinux-policy-targeted-1.27.2-16


$service dhcpd start
failed

$tail -f /var/log/audit/audit.log
type=AVC msg=audit(1131439884.638:174): avc:  denied  { search } for  pid=5881
comm="dhcpd" name="dhcpd" dev=hda8 ino=163776 scontext=root:system_r:dhcpd_t:s0
tcontext=system_u:object_r:dhcpd_state_t:s0 tclass=dir
type=SYSCALL msg=audit(1131439884.638:174): arch=40000003 syscall=5 success=no
exit=-13 a0=8c731b a1=0 a2=333 a3=bf87c1b4 items=1 pid=5881 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="dhcpd"
exe="/usr/sbin/dhcpd"
type=CWD msg=audit(1131439884.638:174):  cwd="/"
type=PATH msg=audit(1131439884.638:174): item=0
name="/var/lib/dhcpd/dhcpd.leases" flags=101  inode=163776 dev=03:08 mode=040755
ouid=0 ogid=0 rdev=00:00

$ls -Z /usr/sbin/dhcpd
-rwxr-xr-x  root     root     system_u:object_r:dhcpd_exec_t   /usr/sbin/dhcpd
$ ls -Z /var/lib/dhcpd/
-rw-r--r--  root     root     root:object_r:dhcpd_state_t      dhcpd.leases
$ls -Zd /var/lib/dhcpd
drwxr-xr-x  root     root     system_u:object_r:dhcpd_state_t  /var/lib/dhcpd
Comment 14 Daniel Walsh 2005-11-08 10:41:13 EST
Fixed in policy 1.27.2-17
Comment 15 sangu 2005-11-12 10:56:50 EST
Thank you, dwalsh!

Note You need to log in before you can comment on or make changes to this bug.