Bug 2371297 - systemd-networkd: DHCPv4 server: Failed to save leases, ignoring: Permission denied
Summary: systemd-networkd: DHCPv4 server: Failed to save leases, ignoring: Permission ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 42
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 2344538 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-06-09 20:33 UTC by Scott Schmit
Modified: 2025-09-08 11:41 UTC (History)
9 users (show)

Fixed In Version: selinux-policy-42.5-1.fc42
Clone Of:
Environment:
Last Closed: 2025-08-12 00:57:07 UTC
Type: ---
Embargoed:
zpytela: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 2829 0 None open Allow systemd-networkd to create leases directory 2025-08-09 12:57:08 UTC
Red Hat Issue Tracker FC-1900 0 None None None 2025-08-04 15:36:05 UTC

Description Scott Schmit 2025-06-09 20:33:01 UTC 
I am using systemd-networkd, and I'm seeing this in my logs:

Jun 09 16:01:21 redacted systemd-networkd[1946]: enp3s0f0: DHCPv4 server: REQUEST (rebinding/renewing) (0xcd130238)
Jun 09 16:01:21 redacted systemd-networkd[1946]: enp3s0f0: DHCPv4 server: ACK (0xcd130238)
Jun 09 16:01:21 redacted audit[1946]: AVC avc:  denied  { create } for  pid=1946 comm="systemd-network" name="dhcp-server-lease" scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:systemd_networkd_var_lib_t:s0 tclass=dir permissive=0
Jun 09 16:01:21 redacted systemd-networkd[1946]: enp3s0f0: DHCPv4 server: Failed to save leases, ignoring: Permission denied
Jun 09 16:01:21 redacted systemd-networkd[1946]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/network1/link/_33 interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=31633 reply_cookie=0 signature=sa{sv}as error-name=n/a error-message=n/a
Jun 09 16:01:23 redacted systemd[1]: Starting setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs...
Jun 09 16:01:23 redacted systemd[1]: Started setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs.
Jun 09 16:01:23 redacted audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=setroubleshootd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jun 09 16:01:23 redacted systemd[1]: Started dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged.
Jun 09 16:01:23 redacted audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@21168 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jun 09 16:01:24 redacted setroubleshoot[1002426]: SELinux is preventing systemd-network from create access on the directory dhcp-server-lease. For complete SELinux messages run: sealert -l 267423a5-1007-4607-bac4-ce992d5df576
Jun 09 16:01:24 redacted setroubleshoot[1002426]: SELinux is preventing systemd-network from create access on the directory dhcp-server-lease.
                                                               
                                                               *****  Plugin catchall (100. confidence) suggests   **************************
                                                               
                                                               If you believe that systemd-network should be allowed create access on the dhcp-server-lease directory by default.
                                                               Then you should report this as a bug.
                                                               You can generate a local policy module to allow this access.
                                                               Do
                                                               allow this access for now by executing:
                                                               # ausearch -c 'systemd-network' --raw | audit2allow -M my-systemdnetwork
                                                               # semodule -X 300 -i my-systemdnetwork.pp


Reproducible: Always

Steps to Reproduce:
I'm not sure but my guess would be:
1. Run a DHCPv4 server via systemd-networkd
2. Have clients accept leases

Actual Results:
See logs above

Expected Results:
No error; leases are saved

Additional Information:
Running ausearch -c 'systemd-network' --raw | audit2allow 

yields:

#============= systemd_networkd_t ==============
allow systemd_networkd_t systemd_networkd_var_lib_t:dir create;
Comment 1 Zdenek Pytela 2025-08-04 15:35:22 UTC 
Hi,

Can you set the system to permissive mode, enable full auditing and gather data?

setenforce 0
https://fedoraproject.org/wiki/SELinux/Debugging#Enable_full_auditing
Comment 2 Zbigniew Jędrzejewski-Szmek 2025-08-09 12:16:33 UTC 
*** Bug 2344538 has been marked as a duplicate of this bug. ***
Comment 3 Zbigniew Jędrzejewski-Szmek 2025-08-09 12:57:09 UTC 
I submitted a PR, I think it should fix the issue. So we don't need the log now.
Comment 4 Fedora Update System 2025-08-10 20:19:25 UTC 
FEDORA-2025-dde3c4a0f1 (selinux-policy-42.5-1.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-dde3c4a0f1
Comment 5 Fedora Update System 2025-08-11 01:00:10 UTC 
FEDORA-2025-dde3c4a0f1 has been pushed to the Fedora 42 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-dde3c4a0f1`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-dde3c4a0f1

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Zdenek Pytela 2025-08-11 09:30:19 UTC 
A mistake has been made, this bz will actually be fixed by the next build.
Comment 7 Fedora Update System 2025-08-12 00:57:07 UTC 
FEDORA-2025-dde3c4a0f1 (selinux-policy-42.5-1.fc42) has been pushed to the Fedora 42 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 8 Miroslav 2025-09-06 12:37:01 UTC 
seems to not be working correctly. current up-to-date fedora shows the following

should this be a separate bug report?



Sep 06 14:32:07 router.redacted systemd[1]: setroubleshootd.service: Consumed 5.082s CPU time, 82.9M memory peak.
Sep 06 14:32:17 router.redacted audit[1090]: AVC avc:  denied  { read write } for  pid=1090 comm="systemd-network" path="/var/lib/systemd/network/dhcp-server-lease/.#eno1f7697ae37cbd6004" dev="sda3" ino=2177342 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:systemd_networkd_var_lib_t:s0 tclass=file permissive=0
Sep 06 14:32:19 router.redacted systemd[1]: Starting setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs...
Sep 06 14:32:19 router.redacted systemd[1]: Started setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs.
Sep 06 14:32:19 router.redacted audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=setroubleshootd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Sep 06 14:32:20 router.redacted setroubleshoot[1460]: failed to retrieve rpm info for path '/var/lib/systemd/network/dhcp-server-lease/.#eno1f7697ae37cbd6004':
Sep 06 14:32:20 router.redacted systemd[1]: Started dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged.
Sep 06 14:32:20 router.redacted audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@1 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Sep 06 14:32:21 router.redacted setroubleshoot[1460]: SELinux is preventing systemd-network from 'read, write' accesses on the file /var/lib/systemd/network/dhcp-server-lease/.#eno1f7697ae37cbd6004. For complete SELinux messages run: sealert -l 51ab8f27-6d79-428c-8120-fe2c1fa37e9c
Sep 06 14:32:21 router.redacted setroubleshoot[1460]: SELinux is preventing systemd-network from 'read, write' accesses on the file /var/lib/systemd/network/dhcp-server-lease/.#eno1f7697ae37cbd6004.
                                                         
                                                         *****  Plugin catchall (100. confidence) suggests   **************************
                                                         
                                                         If you believe that systemd-network should be allowed read write access on the .#eno1f7697ae37cbd6004 file by default.
                                                         Then you should report this as a bug.
                                                         You can generate a local policy module to allow this access.
                                                         Do
                                                         allow this access for now by executing:
                                                         # ausearch -c 'systemd-network' --raw | audit2allow -M my-systemdnetwork
                                                         # semodule -X 300 -i my-systemdnetwork.pp
Comment 9 Zdenek Pytela 2025-09-08 11:41:24 UTC 
The issue as reported has been resolved, this seems to be related, but different. Please open a new bz. Short reproducer or a test hint would also help.
Note You need to log in before you can comment on or make changes to this bug.