Bug 201534 - dhcpd conflict with selinux
Summary: dhcpd conflict with selinux
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted   
(Show other bugs)
Version: 4.0
Hardware: All Linux
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2006-08-07 07:37 UTC by Johan Dahl
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-08-15 11:28:27 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Johan Dahl 2006-08-07 07:37:35 UTC
Description of problem:
If selinux is on and enforced for dhcpd will it not let the application access
the file /var/lib/dhcp/dhcpd.leases

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Start dhcpd ( service dhcpd start)
Actual results:
dhcpd fails to start

Starting dhcpd: Internet Systems Consortium DHCP Server V3.0.1
Copyright 2004 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
Can't open lease database /var/lib/dhcp/dhcpd.leases: Permission denied --
  check for failed database rewrite attempt!
Please read the dhcpd.leases manual page if you
don't know what to do about this.

If you did not get this software from ftp.isc.org, please
get the latest from ftp.isc.org and install that before
requesting help.

If you did get this software from ftp.isc.org and have not
yet read the README, please read it before requesting help.
If you intend to request help from the dhcp-server@isc.org
mailing list, please read the section on the README about
submitting bug reports and requests for help.

Please do not under any circumstances send requests for
help directly to the authors of this software - please
send them to the appropriate mailing list as described in
the README file.


Expected results:
dhcp starting

Additional info:
If I turn off protection of dhcpd in system-config-security will it work

Comment 1 Daniel Walsh 2006-08-11 17:14:46 UTC
This is most likely a labeling problem.  

Are you seeing lots of avc messages in /var/log/messages?

You can relabel these directories with the following command

restorecon -R -v /var/lib

If you need to relabel the entire system you can 

touch /.autorelabel

Comment 2 Johan Dahl 2006-08-14 07:27:52 UTC

$ sudo ls -lZ /var/lib/dhcp
-rw-r--r--  root     root     user_u:object_r:dhcp_state_t     dhcpd.leases
-rw-r--r--  root     root     system_u:object_r:dhcpd_state_t  dhcpd.leases~
$ sudo restorecon -R -v /var/lib
/sbin/restorecon reset context

and it works with selinux again. I looked at this but I didn't see the
difference between user_u and system_u

Many thanks

Comment 3 Daniel Walsh 2006-08-15 11:28:27 UTC
The problem was not the user_u->system_u.  In targeted policy this componant
does not matter.  The problem was the dhcp_state_t->dhcpd_state_t.

This componant of the security context is called the type.  I am not sure why
this file got created with the incorrect context.  

Note You need to log in before you can comment on or make changes to this bug.