Bug 439848 - selinux denies dhcp access to required proc files
Summary: selinux denies dhcp access to required proc files
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: dhcp
Version: 9
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: David Cantrell
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-03-31 18:43 UTC by Gordon Messmer
Modified: 2008-08-02 23:40 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-07-07 05:23:42 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Gordon Messmer 2008-03-31 18:43:44 UTC 
Description of problem:
If SELinux is Enforcing, dhcpd is unable to start.  It doesn't produce any logs
of its own, but SELinux records something like:

type=AVC msg=audit(1206988373.077:51): avc:  denied  { read } for  pid=4579
comm="dhcpd" name="net" dev=proc ino=4026531868
scontext=unconfined_u:system_r:dhcpd_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=lnk_file

If I set SELinux to permissive, it looks like several more things are denied by
policy:

type=AVC msg=audit(1206987458.792:35): avc:  denied  { read } for  pid=3193
comm="dhcpd" name="net" dev=proc ino=4026531868
scontext=unconfined_u:system_r:dhcpd_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=lnk_file
type=AVC msg=audit(1206987458.792:35): avc:  denied  { read } for  pid=3193
comm="dhcpd" name="dev" dev=proc ino=4026531955
scontext=unconfined_u:system_r:dhcpd_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=SYSCALL msg=audit(1206987458.792:35): arch=40000003 syscall=5 success=yes
exit=5 a0=80de96a a1=0 a2=1b6 a3=0 items=0 ppid=3192 pid=3193 auid=500 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="dhcpd"
exe="/usr/sbin/dhcpd" subj=unconfined_u:system_r:dhcpd_t:s0 key=(null)
type=AVC msg=audit(1206987458.814:36): avc:  denied  { getattr } for  pid=3193
comm="dhcpd" path="/proc/3193/net/dev" dev=proc ino=4026531955
scontext=unconfined_u:system_r:dhcpd_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=SYSCALL msg=audit(1206987458.814:36): arch=40000003 syscall=197 success=yes
exit=0 a0=5 a1=bfdd3528 a2=29dff4 a3=84b4930 items=0 ppid=3192 pid=3193 auid=500
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1
comm="dhcpd" exe="/usr/sbin/dhcpd" subj=unconfined_u:system_r:dhcpd_t:s0 key=(null)


Version-Release number of selected component (if applicable):
dhcp-4.0.0-13.fc9.i386
selinux-policy-3.3.1-26.fc9.noarch


How reproducible:
Always


Steps to Reproduce:
1. setenforce enforcing
2. service dhcpd start
Comment 1 Bug Zapper 2008-05-14 08:28:55 UTC 
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 2 David Cantrell 2008-06-23 14:54:42 UTC 
Dan,

Is this something that dhcpd is doing incorrectly, or is this an selinux policy change?
Comment 3 Gordon Messmer 2008-07-07 05:23:42 UTC 
I believe that it was an selinux policy change, since dhcpd still reads
/proc/net/dev and the policy no longer blocks it.  I probably should have filed
the bug against that component.  It appears to have been resolved, so we can
close this bug.
Note You need to log in before you can comment on or make changes to this bug.