Bug 213926 - dhcpd startup denied -- accessing rndc.key
dhcpd startup denied -- accessing rndc.key
Product: Fedora
Classification: Fedora
Component: bind (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Adam Tkac
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2006-11-03 14:47 EST by Gene Czarcinski
Modified: 2013-04-30 19:34 EDT (History)
2 users (show)

See Also:
Fixed In Version: 9.4.0-1.fc7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-03-06 10:37:14 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
rpm -qa | egrep 'bind|caching' (131 bytes, text/plain)
2006-11-10 11:14 EST, Gene Czarcinski
no flags Details

  None (edit)
Description Gene Czarcinski 2006-11-03 14:47:46 EST
Description of problem:
I have named and dhcpd configured to allow automatic updating of system names in
DNS by dhcpd.  Under FC6, dhcpd startup fails because:

audit(1162562248.905:8): avc:  denied  { read } for  pid=3560 comm="dhcpd"
name="rndc.key" dev=hda8 ino=1064661 scontext=root:system_r:dhcpd_t:s0
tcontext=system_u:object_r:dnssec_t:s0 tclass=lnk_file

I used audit2allow to create:

module dhcpd 1.0;

require {
        class lnk_file read;
        type dhcpd_t;
        type dnssec_t;
        role system_r;

allow dhcpd_t dnssec_t:lnk_file read;

which when processed and loaded allowed dhcpd to start and function properly.

I believe this should be a built-in option ... should this be a bug report or an

Version-Release number of selected component (if applicable):
FC6 plus updates as of 11/2/2006

How reproducible:
Comment 1 Daniel Walsh 2006-11-03 16:15:20 EST
This looks like a mislabeled link.  Should be etc_t.

restorecon /etc/rndc.key

I believe this is a bug in the bind package labeling the link file, when it
should only label the real file.
Comment 2 Martin Stransky 2006-11-10 09:08:42 EST
Could you please attach an output of " #rpm -qa | egrep 'bind|caching' "?
Comment 3 Gene Czarcinski 2006-11-10 11:14:17 EST
Created attachment 140902 [details]
rpm -qa | egrep 'bind|caching'

After I did the "restorecon /etc/rndc.key", I noi longer needed the local
selinux module and everything worked.

Attached is the requested info.
Comment 4 Martin Stransky 2006-11-10 11:30:43 EST
I can reproduce it, thanks.
Comment 5 Martin Stransky 2006-11-22 07:52:00 EST
Could you please attach an output from "#matchpathcon /etc/rndc.key"?
Comment 6 Gene Czarcinski 2006-11-22 10:15:11 EST
Output from "matchpathcon /etc/rndc.key" (which is what I think you meant to say):

/etc/rndc.key   system_u:object_r:dnssec_t
Comment 7 Martin Stransky 2006-11-23 05:28:41 EST
and what context do you have for this file? (ls -Z /etc/rndc.key)
Comment 8 Gene Czarcinski 2006-11-24 12:27:44 EST
Per comment #3 above, I did the "restorecon /etc/rndc.key" and that seemed to
"fix" the problem.  The result of "ls -Z /etc/rndc.key" now is:

   lrwxrwxrwx  root named system_u:object_r:etc_t          /etc/rndc.key ->
Comment 9 Martin Stransky 2006-12-06 06:25:41 EST
It's quite strange because:

matchpathcon /etc/rndc.key says system_u:object_r:dnssec_t

the default context for /etc/rndc.key is system_u:object_r:dnssec_t

but restorecon /etc/rndc.key sets it to system_u:object_r:etc_t?

I'm quite confused with it, but at least in policy is that /etc/rndc.key should
have system_u:object_r:dnssec_t, right?
Comment 10 Gene Czarcinski 2006-12-06 10:03:14 EST
At this point, I am not sure what /etc/rndc.key was originally set to during the
install (it was a fresh install).  However, with that setting, dhcpd did not
work.  After running "restorecon /etc/rndc.key", is is set to
"system_u:object_r:etc_t" and dhcpd can update named dynamically.

Perhaps one of the selinux "experts" can shed some light on the differences
between matchpathcon and restorecon.
Comment 11 Daniel Walsh 2007-02-14 15:58:49 EST
/etc/rndc.key the file is labeled dnssec_t
/etc/rndc.key the symbolic link is labeled etc_t.
Comment 12 Adam Tkac 2007-03-06 10:37:14 EST
Could be fixed in bind-*9.4.0-1.fc7

Note You need to log in before you can comment on or make changes to this bug.