Bug 2024166 - dnsmasq: cannot open log /var/log/dnsmasq.log
Summary: dnsmasq: cannot open log /var/log/dnsmasq.log
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: dnsmasq
Version: 35
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Petr Menšík
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 2156789
TreeView+ depends on / blocked
 
Reported: 2021-11-17 13:22 UTC by Christian Kujau
Modified: 2023-01-23 12:11 UTC (History)
6 users (show)

Fixed In Version: dnsmasq-2.86-4.fc35 dnsmasq-2.86-4.fc34
Clone Of:
Environment:
Last Closed: 2022-01-19 02:11:16 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
candidate patch (492 bytes, patch)
2021-11-24 16:05 UTC, Petr Menšík 		no flags Details | Diff
View All

Description Christian Kujau 2021-11-17 13:22:49 UTC 
Description of problem:


This had been reported in bug 1663692 two years ago, but apparently has re-surfaced:


============================================
$ grep faci /etc/dnsmasq.d/work.conf 
log-facility=/var/log/dnsmasq.log

$ ls -ldZ /var{,/log{,/dnsmasq.log}}
drwxr-xr-x. 1 root    root    system_u:object_r:var_t:s0              246 Nov 17 02:51 /var
drwxr-xr-x. 1 root    root    system_u:object_r:var_log_t:s0         1230 Nov 17 02:40 /var/log
-rw-rw----. 1 dnsmasq dnsmasq system_u:object_r:dnsmasq_var_log_t:s0 5410 Oct 20 10:44 /var/log/dnsmasq.log

$ systemctl restart dnsmasq.service 
Job for dnsmasq.service failed because the control process exited with error code.
See "systemctl status dnsmasq.service" and "journalctl -xeu dnsmasq.service" for details.

$ journalctl -l | grep dnsm
[....]
Nov 17 14:11:20 host audit[51617]: AVC avc:  denied  { dac_override } for  pid=51617 comm="dnsmasq" capability=1  scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:system_r:dnsmasq_t:s0 tclass=capability permissive=0
Nov 17 14:11:20 host dnsmasq[51615]: dnsmasq: cannot open log /var/log/dnsmasq.log: Permission denied
Nov 17 14:11:20 host dnsmasq[51615]: cannot open log /var/log/dnsmasq.log: Permission denied
Nov 17 14:11:20 host systemd[1]: dnsmasq.service: Control process exited, code=exited, status=3/NOTIMPLEMENTED
Nov 17 14:11:20 host dnsmasq[51615]: FAILED to start up
Nov 17 14:11:20 host systemd[1]: dnsmasq.service: Failed with result 'exit-code'.
Nov 17 14:11:20 host audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dnsmasq comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'


$ ausearch -m avc | grep dnsmasq | tail -1 | audit2allow 
allow dnsmasq_t self:capability dac_override;

============================================


Version-Release number of selected component (if applicable):
dnsmasq-2.86-3.fc35.x86_64

How reproducible:
Always.

Steps to Reproduce:
1. Configure dnsmasq to log its output to a log file
2. Start dnsmasq.
3. dnsmasq is not able to start.

Actual results:
dnsmasq does not start.

Expected results:
dnsmasq should start.

Additional info: Removing log-facility=/var/log/dnsmasq.log from the configuration makes dnsmasq start just fine.
Comment 1 Petr Menšík 2021-11-24 15:21:03 UTC 
I think it would be fixed if you keep the file owned and writeable by root, but also by dnsmasq group. Would the issue disappear if you chown root:dnsmasq /var/log/dnsmasq.log?

It might open log file handle before it drops privileges and switches to dnsmasq user. It would not be issue if it had all root capabilities, such as ability to write to not owned files (dac_override). Because we do not grant such rights even to root processes, root user or group has to have write ability.
Comment 2 Petr Menšík 2021-11-24 16:02:03 UTC 
I have checked when log_reopen is called. I can confirm it is called when it still has effective uid 0.

My dnsmasq.log permissions have this:
-rw-r-----. 1 dnsmasq root 1489 24. lis 16.33 /var/log/dnsmasq.log

But it seems it can just create that file once, but not reopen it on another restart.

rm -f /var/log/dnsmasq.log

$ sudo systemctl restart dnsmasq
# ok

$ sudo systemctl restart dnsmasq
Job for dnsmasq.service failed because the control process exited with error code.
See "systemctl status dnsmasq.service" and "journalctl -xeu dnsmasq.service" for details.

It seems it should include right to write also to group when creating this file. I am not sure if it should do it always. dnsmasq may run also as unprivileged user directly, where such adding might not be required. But permissions of created file is not configurable. Of course, you may create that file before and apply correct rights before starting dnsmasq.

$ sudo chmod g+w /var/log/dnsmasq.log
$ sudo systemctl restart dnsmasq
# ok

I am not sure if this should be fixed in dnsmasq code. First thing is this is ensured by SELinux and systemd on Fedora. It would work if started from command line.

It can be corrected by proper logrotate configuration, which is not part of dnsmasq package. I expect journal is usually sufficient.
Comment 3 Petr Menšík 2021-11-24 16:05:02 UTC 
Created attachment 1843431 [details]
candidate patch

Always add group writeable bit to log-facility file. It might not always be needed, but is needed if creating new file into /var/log. It succeeds first time, but fails on following restart(s).
Comment 4 Christian Kujau 2021-11-28 16:52:28 UTC 
Thanks for responding. Yes, removing the file helps, dnsmasq will then create the log file with:

 -rw-r-----. 1 dnsmasq root system_u:object_r:dnsmasq_var_log_t:s0 7391 Nov 28 17:48 /var/log/dnsmasq.log

And indeed, restarting dnsmasq then fails with:

 dnsmasq: cannot open log /var/log/dnsmasq.log: Permission denied

The chmod g+w trick helps, now dnsmasq can indeed be restarted.

 -rw-rw----. 1 dnsmasq root system_u:object_r:dnsmasq_var_log_t:s0 14013 Nov 28 17:49 /var/log/dnsmasq.log

So, this is a good workaround. But yeah, fixing this in dnsmasq would be cool.
Comment 5 Petr Menšík 2022-01-13 14:29:02 UTC 
Posted upstream, already accepted:

https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2022q1/016070.html
Comment 6 Petr Menšík 2022-01-13 14:33:19 UTC 
Accepted and merged:
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=1f8f78a49b8fd6b2862a3882053b1c6e6e111e5c
Comment 7 Fedora Update System 2022-01-16 11:30:11 UTC 
FEDORA-2022-bc951e2e74 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-bc951e2e74
Comment 8 Fedora Update System 2022-01-16 11:31:03 UTC 
FEDORA-2022-c180c1560c has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2022-c180c1560c
Comment 9 Fedora Update System 2022-01-17 02:00:35 UTC 
FEDORA-2022-bc951e2e74 has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-bc951e2e74`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-bc951e2e74

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 10 Fedora Update System 2022-01-17 02:15:55 UTC 
FEDORA-2022-c180c1560c has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-c180c1560c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-c180c1560c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 11 Fedora Update System 2022-01-19 02:11:16 UTC 
FEDORA-2022-bc951e2e74 has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 12 Fedora Update System 2022-02-02 01:14:33 UTC 
FEDORA-2022-c180c1560c has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.