201534 – dhcpd conflict with selinux

Bug 201534 - dhcpd conflict with selinux

Summary: dhcpd conflict with selinux

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	selinux-policy-targeted
Sub Component:
Version:	4.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-08-07 07:37 UTC by Johan Dahl
Modified:	2007-11-30 22:07 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-08-15 11:28:27 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Johan Dahl 2006-08-07 07:37:35 UTC

Description of problem:
If selinux is on and enforced for dhcpd will it not let the application access
the file /var/lib/dhcp/dhcpd.leases

Version-Release number of selected component (if applicable):
dhcp-3.0.1-54.EL4

How reproducible:
Everytime

Steps to Reproduce:
1. Start dhcpd ( service dhcpd start)
2.
3.
  
Actual results:
dhcpd fails to start

Starting dhcpd: Internet Systems Consortium DHCP Server V3.0.1
Copyright 2004 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
Can't open lease database /var/lib/dhcp/dhcpd.leases: Permission denied --
  check for failed database rewrite attempt!
Please read the dhcpd.leases manual page if you
don't know what to do about this.

If you did not get this software from ftp.isc.org, please
get the latest from ftp.isc.org and install that before
requesting help.

If you did get this software from ftp.isc.org and have not
yet read the README, please read it before requesting help.
If you intend to request help from the dhcp-server
mailing list, please read the section on the README about
submitting bug reports and requests for help.

Please do not under any circumstances send requests for
help directly to the authors of this software - please
send them to the appropriate mailing list as described in
the README file.

exiting.
                                                           [FAILED]


Expected results:
dhcp starting

Additional info:
If I turn off protection of dhcpd in system-config-security will it work

Comment 1 Daniel Walsh 2006-08-11 17:14:46 UTC

This is most likely a labeling problem.  

Are you seeing lots of avc messages in /var/log/messages?

You can relabel these directories with the following command

restorecon -R -v /var/lib

If you need to relabel the entire system you can 

touch /.autorelabel
reboot

Comment 2 Johan Dahl 2006-08-14 07:27:52 UTC

Fixed!

$ sudo ls -lZ /var/lib/dhcp
-rw-r--r--  root     root     user_u:object_r:dhcp_state_t     dhcpd.leases
-rw-r--r--  root     root     system_u:object_r:dhcpd_state_t  dhcpd.leases~
$ sudo restorecon -R -v /var/lib
/sbin/restorecon reset context
/var/lib/dhcp/dhcpd.leases:user_u:object_r:dhcp_state_t->system_u:object_r:dhcpd_state_t

and it works with selinux again. I looked at this but I didn't see the
difference between user_u and system_u

Many thanks

Comment 3 Daniel Walsh 2006-08-15 11:28:27 UTC

The problem was not the user_u->system_u.  In targeted policy this componant
does not matter.  The problem was the dhcp_state_t->dhcpd_state_t.

This componant of the security context is called the type.  I am not sure why
this file got created with the incorrect context.

Note You need to log in before you can comment on or make changes to this bug.