Red Hat Bugzilla – Bug 201534
dhcpd conflict with selinux
Last modified: 2007-11-30 17:07:26 EST
Description of problem:
If selinux is on and enforced for dhcpd will it not let the application access
the file /var/lib/dhcp/dhcpd.leases
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Start dhcpd ( service dhcpd start)
dhcpd fails to start
Starting dhcpd: Internet Systems Consortium DHCP Server V3.0.1
Copyright 2004 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
Can't open lease database /var/lib/dhcp/dhcpd.leases: Permission denied --
check for failed database rewrite attempt!
Please read the dhcpd.leases manual page if you
don't know what to do about this.
If you did not get this software from ftp.isc.org, please
get the latest from ftp.isc.org and install that before
If you did get this software from ftp.isc.org and have not
yet read the README, please read it before requesting help.
If you intend to request help from the firstname.lastname@example.org
mailing list, please read the section on the README about
submitting bug reports and requests for help.
Please do not under any circumstances send requests for
help directly to the authors of this software - please
send them to the appropriate mailing list as described in
the README file.
If I turn off protection of dhcpd in system-config-security will it work
This is most likely a labeling problem.
Are you seeing lots of avc messages in /var/log/messages?
You can relabel these directories with the following command
restorecon -R -v /var/lib
If you need to relabel the entire system you can
$ sudo ls -lZ /var/lib/dhcp
-rw-r--r-- root root user_u:object_r:dhcp_state_t dhcpd.leases
-rw-r--r-- root root system_u:object_r:dhcpd_state_t dhcpd.leases~
$ sudo restorecon -R -v /var/lib
/sbin/restorecon reset context
and it works with selinux again. I looked at this but I didn't see the
difference between user_u and system_u
The problem was not the user_u->system_u. In targeted policy this componant
does not matter. The problem was the dhcp_state_t->dhcpd_state_t.
This componant of the security context is called the type. I am not sure why
this file got created with the incorrect context.