Bug 470622 - SELinux is preventing dnsmasq (dnsmasq_t)
SELinux is preventing dnsmasq (dnsmasq_t)
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
5.3
All Linux
medium Severity medium
: rc
: ---
Assigned To: Daniel Walsh
BaseOS QE
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-07 20:02 EST by John Poelstra
Modified: 2015-07-02 04:55 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-07-13 06:00:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description John Poelstra 2008-11-07 20:02:01 EST
Description of problem:
Adding a new printer results in AVC

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-180.el5


Steps to Reproduce:
1. install virtualization group
2. run dom0 network config with dhcp
3. wait/force lease renwal
  

Summary:


Summary:

SELinux is preventing dnsmasq (dnsmasq_t) "getattr" to
/var/lib/libvirt/dhcp-default.leases (var_lib_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by dnsmasq. It is not expected that this access
is required by dnsmasq and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /var/lib/libvirt/dhcp-default.leases,

restorecon -v '/var/lib/libvirt/dhcp-default.leases'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:dnsmasq_t:s0
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                /var/lib/libvirt/dhcp-default.leases [ file ]
Source                        dnsmasq
Source Path                   /usr/sbin/dnsmasq
Port                          <Unknown>
Host                          screamer
Source RPM Packages           dnsmasq-2.45-1.el5_2.1
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-180.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_file
Host Name                     screamer
Platform                      Linux screamer 2.6.18-122.el5 #1 SMP Mon Nov 3
                              18:18:14 EST 2008 i686 i686
Alert Count                   2
First Seen                    Thu 06 Nov 2008 11:56:40 AM PST
Last Seen                     Fri 07 Nov 2008 07:29:27 AM PST
Local ID                      534a9cce-e1ec-4767-be8f-56b7b8c2b43a
Line Numbers                  

Raw Audit Messages            

host=screamer type=AVC msg=audit(1226071767.999:6): avc:  denied  { getattr } for  pid=2793 comm="dnsmasq" path="/var/lib/libvirt/dhcp-default.leases" dev=hda2 ino=1037569 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file

host=screamer type=SYSCALL msg=audit(1226071767.999:6): arch=40000003 syscall=197 success=yes exit=0 a0=4 a1=bf85b554 a2=b2aff4 a3=98f8278 items=0 ppid=2704 pid=2793 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dnsmasq" exe="/usr/sbin/dnsmasq" subj=system_u:system_r:dnsmasq_t:s0 key=(null)


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Summary:

SELinux is preventing dnsmasq (dnsmasq_t) "read append" to ./dhcp-default.leases
(var_lib_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by dnsmasq. It is not expected that this access
is required by dnsmasq and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./dhcp-default.leases,

restorecon -v './dhcp-default.leases'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:dnsmasq_t:s0
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                ./dhcp-default.leases [ file ]
Source                        dnsmasq
Source Path                   /usr/sbin/dnsmasq
Port                          <Unknown>
Host                          screamer
Source RPM Packages           dnsmasq-2.45-1.el5_2.1
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-180.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_file
Host Name                     screamer
Platform                      Linux screamer 2.6.18-122.el5 #1 SMP Mon Nov 3
                              18:18:14 EST 2008 i686 i686
Alert Count                   3
First Seen                    Wed 05 Nov 2008 11:38:51 AM PST
Last Seen                     Fri 07 Nov 2008 07:29:27 AM PST
Local ID                      b9876b16-ec52-458f-9b84-32cc44549b8c
Line Numbers                  

Raw Audit Messages            

host=screamer type=AVC msg=audit(1226071767.991:5): avc:  denied  { read append } for  pid=2793 comm="dnsmasq" name="dhcp-default.leases" dev=hda2 ino=1037569 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file

host=screamer type=SYSCALL msg=audit(1226071767.991:5): arch=40000003 syscall=5 success=yes exit=4 a0=98f7918 a1=8442 a2=1b6 a3=98f8278 items=0 ppid=2704 pid=2793 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dnsmasq" exe="/usr/sbin/dnsmasq" subj=system_u:system_r:dnsmasq_t:s0 key=(null)
Comment 1 Daniel Walsh 2008-12-01 13:50:16 EST
Fixed in selinux-policy-2.4.6-194.el5

Note You need to log in before you can comment on or make changes to this bug.