Description of problem: If SELinux is Enforcing, dhcpd is unable to start. It doesn't produce any logs of its own, but SELinux records something like: type=AVC msg=audit(1206988373.077:51): avc: denied { read } for pid=4579 comm="dhcpd" name="net" dev=proc ino=4026531868 scontext=unconfined_u:system_r:dhcpd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=lnk_file If I set SELinux to permissive, it looks like several more things are denied by policy: type=AVC msg=audit(1206987458.792:35): avc: denied { read } for pid=3193 comm="dhcpd" name="net" dev=proc ino=4026531868 scontext=unconfined_u:system_r:dhcpd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=lnk_file type=AVC msg=audit(1206987458.792:35): avc: denied { read } for pid=3193 comm="dhcpd" name="dev" dev=proc ino=4026531955 scontext=unconfined_u:system_r:dhcpd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file type=SYSCALL msg=audit(1206987458.792:35): arch=40000003 syscall=5 success=yes exit=5 a0=80de96a a1=0 a2=1b6 a3=0 items=0 ppid=3192 pid=3193 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="dhcpd" exe="/usr/sbin/dhcpd" subj=unconfined_u:system_r:dhcpd_t:s0 key=(null) type=AVC msg=audit(1206987458.814:36): avc: denied { getattr } for pid=3193 comm="dhcpd" path="/proc/3193/net/dev" dev=proc ino=4026531955 scontext=unconfined_u:system_r:dhcpd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file type=SYSCALL msg=audit(1206987458.814:36): arch=40000003 syscall=197 success=yes exit=0 a0=5 a1=bfdd3528 a2=29dff4 a3=84b4930 items=0 ppid=3192 pid=3193 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="dhcpd" exe="/usr/sbin/dhcpd" subj=unconfined_u:system_r:dhcpd_t:s0 key=(null) Version-Release number of selected component (if applicable): dhcp-4.0.0-13.fc9.i386 selinux-policy-3.3.1-26.fc9.noarch How reproducible: Always Steps to Reproduce: 1. setenforce enforcing 2. service dhcpd start
Changing version to '9' as part of upcoming Fedora 9 GA. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Dan, Is this something that dhcpd is doing incorrectly, or is this an selinux policy change?
I believe that it was an selinux policy change, since dhcpd still reads /proc/net/dev and the policy no longer blocks it. I probably should have filed the bug against that component. It appears to have been resolved, so we can close this bug.