Bug 439848 - selinux denies dhcp access to required proc files
selinux denies dhcp access to required proc files
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: dhcp (Show other bugs)
9
All Linux
low Severity low
: ---
: ---
Assigned To: David Cantrell
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-31 14:43 EDT by Gordon Messmer
Modified: 2008-08-02 19:40 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-07 01:23:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Gordon Messmer 2008-03-31 14:43:44 EDT
Description of problem:
If SELinux is Enforcing, dhcpd is unable to start.  It doesn't produce any logs
of its own, but SELinux records something like:

type=AVC msg=audit(1206988373.077:51): avc:  denied  { read } for  pid=4579
comm="dhcpd" name="net" dev=proc ino=4026531868
scontext=unconfined_u:system_r:dhcpd_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=lnk_file

If I set SELinux to permissive, it looks like several more things are denied by
policy:

type=AVC msg=audit(1206987458.792:35): avc:  denied  { read } for  pid=3193
comm="dhcpd" name="net" dev=proc ino=4026531868
scontext=unconfined_u:system_r:dhcpd_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=lnk_file
type=AVC msg=audit(1206987458.792:35): avc:  denied  { read } for  pid=3193
comm="dhcpd" name="dev" dev=proc ino=4026531955
scontext=unconfined_u:system_r:dhcpd_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=SYSCALL msg=audit(1206987458.792:35): arch=40000003 syscall=5 success=yes
exit=5 a0=80de96a a1=0 a2=1b6 a3=0 items=0 ppid=3192 pid=3193 auid=500 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="dhcpd"
exe="/usr/sbin/dhcpd" subj=unconfined_u:system_r:dhcpd_t:s0 key=(null)
type=AVC msg=audit(1206987458.814:36): avc:  denied  { getattr } for  pid=3193
comm="dhcpd" path="/proc/3193/net/dev" dev=proc ino=4026531955
scontext=unconfined_u:system_r:dhcpd_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=SYSCALL msg=audit(1206987458.814:36): arch=40000003 syscall=197 success=yes
exit=0 a0=5 a1=bfdd3528 a2=29dff4 a3=84b4930 items=0 ppid=3192 pid=3193 auid=500
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1
comm="dhcpd" exe="/usr/sbin/dhcpd" subj=unconfined_u:system_r:dhcpd_t:s0 key=(null)


Version-Release number of selected component (if applicable):
dhcp-4.0.0-13.fc9.i386
selinux-policy-3.3.1-26.fc9.noarch


How reproducible:
Always


Steps to Reproduce:
1. setenforce enforcing
2. service dhcpd start
Comment 1 Bug Zapper 2008-05-14 04:28:55 EDT
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 2 David Cantrell 2008-06-23 10:54:42 EDT
Dan,

Is this something that dhcpd is doing incorrectly, or is this an selinux policy change?
Comment 3 Gordon Messmer 2008-07-07 01:23:42 EDT
I believe that it was an selinux policy change, since dhcpd still reads
/proc/net/dev and the policy no longer blocks it.  I probably should have filed
the bug against that component.  It appears to have been resolved, so we can
close this bug.

Note You need to log in before you can comment on or make changes to this bug.