Description of problem: If selinux is on and enforced for dhcpd will it not let the application access the file /var/lib/dhcp/dhcpd.leases Version-Release number of selected component (if applicable): dhcp-3.0.1-54.EL4 How reproducible: Everytime Steps to Reproduce: 1. Start dhcpd ( service dhcpd start) 2. 3. Actual results: dhcpd fails to start Starting dhcpd: Internet Systems Consortium DHCP Server V3.0.1 Copyright 2004 Internet Systems Consortium. All rights reserved. For info, please visit http://www.isc.org/sw/dhcp/ Can't open lease database /var/lib/dhcp/dhcpd.leases: Permission denied -- check for failed database rewrite attempt! Please read the dhcpd.leases manual page if you don't know what to do about this. If you did not get this software from ftp.isc.org, please get the latest from ftp.isc.org and install that before requesting help. If you did get this software from ftp.isc.org and have not yet read the README, please read it before requesting help. If you intend to request help from the dhcp-server mailing list, please read the section on the README about submitting bug reports and requests for help. Please do not under any circumstances send requests for help directly to the authors of this software - please send them to the appropriate mailing list as described in the README file. exiting. [FAILED] Expected results: dhcp starting Additional info: If I turn off protection of dhcpd in system-config-security will it work
This is most likely a labeling problem. Are you seeing lots of avc messages in /var/log/messages? You can relabel these directories with the following command restorecon -R -v /var/lib If you need to relabel the entire system you can touch /.autorelabel reboot
Fixed! $ sudo ls -lZ /var/lib/dhcp -rw-r--r-- root root user_u:object_r:dhcp_state_t dhcpd.leases -rw-r--r-- root root system_u:object_r:dhcpd_state_t dhcpd.leases~ $ sudo restorecon -R -v /var/lib /sbin/restorecon reset context /var/lib/dhcp/dhcpd.leases:user_u:object_r:dhcp_state_t->system_u:object_r:dhcpd_state_t and it works with selinux again. I looked at this but I didn't see the difference between user_u and system_u Many thanks
The problem was not the user_u->system_u. In targeted policy this componant does not matter. The problem was the dhcp_state_t->dhcpd_state_t. This componant of the security context is called the type. I am not sure why this file got created with the incorrect context.