509240 – selinux denies /etc/dhcp/dhclient.d/nis.sh to run 'mv' or domainname

Bug 509240 - selinux denies /etc/dhcp/dhclient.d/nis.sh to run 'mv' or domainname

Summary: selinux denies /etc/dhcp/dhclient.d/nis.sh to run 'mv' or domainname

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	ypbind
Sub Component:
Version:	12
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Karel Klíč
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:	483747
Blocks:
TreeView+	depends on / blocked

Reported:	2009-07-01 20:48 UTC by David Cantrell
Modified:	2013-03-03 22:59 UTC (History)
CC List:	7 users (show)
Fixed In Version:	ypbind-1.31-3.fc13
Doc Type:	Bug Fix
Doc Text:
Clone Of:	483747
Environment:
Last Closed:	2010-06-02 18:08:11 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description David Cantrell 2009-07-01 20:48:13 UTC

+++ This bug was initially created as a clone of Bug #483747 +++

dhclient-script which is called by dhclient updates numerous configuration files based on information it received from dhcp server.
selinux policy breaks this functionality and, futhermore, configuration file gets deleted:

selinux-policy-targeted-3.5.13-40.fc10.noarch

----
type=SYSCALL msg=audit(1233669374.062:20): arch=40000003 syscall=5 success=no exit=-13 a0=bfcadf57 a1=80c1 a2=180 a3=80c1 items=0 ppid=1984 pid=2013 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="mv" exe="/bin/mv" subj=unconfined_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1233669374.062:20): avc:  denied  { create } for  pid=2013 comm="mv" name="ntp.conf" scontext=unconfined_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:dhcpc_state_t:s0 tclass=file
----
type=SYSCALL msg=audit(1233669383.075:21): arch=40000003 syscall=5 success=no exit=-13 a0=bfc6bdb8 a1=80c1 a2=180 a3=80c1 items=0 ppid=2418 pid=2446 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="mv" exe="/bin/mv" subj=unconfined_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1233669383.075:21): avc:  denied  { create } for  pid=2446 comm="mv" name="resolv.conf.predhclient.eth0" scontext=unconfined_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file


# ls -l /etc/ntp.conf
-rw-r--r-- 1 root root 1923 2008-08-29 04:26 /etc/ntp.conf

# service network restart
Shutting down interface eth0:  mv: cannot create regular file `/etc/ntp.conf': Permission denied
                                                           [  OK  ]
Shutting down loopback interface:                          [  OK  ]
Bringing up loopback interface:                            [  OK  ]
Bringing up interface eth0:
Determining IP information for eth0...mv: cannot create regular file `/var/lib/dhclient/resolv.conf.predhclient.eth0': Permission denied
 done.
                                                           [  OK  ]
# ls -l /etc/ntp.conf
ls: cannot access /etc/ntp.conf: No such file or directory

--- Additional comment from dwalsh on 2009-02-04 11:10:22 EDT ---

I believe these are dhcp issues.

--- Additional comment from dcantrell on 2009-04-16 22:05:20 EDT ---

A fix for this will be in dhcp-4.0.0-34.fc10, which will appear first in the F-11 updates-testing collection.

It would be EXTREMELY helpful to me if you could test the update when it appears in updates-testing and report back whether or not it works.

--- Additional comment from updates on 2009-04-17 17:22:21 EDT ---

dhcp-4.0.0-34.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/dhcp-4.0.0-34.fc10

--- Additional comment from updates on 2009-04-21 20:59:23 EDT ---

dhcp-4.0.0-34.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update dhcp'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-3825

--- Additional comment from chepkov on 2009-04-22 07:28:40 EDT ---

I use dhclient, not dhcp
No changes in new package:

# rpm -q dhclient
dhclient-4.0.0-34.fc10.i386

# service network restart
Shutting down interface eth0:  rm: cannot remove `/etc/ntp.conf': Permission denied
mv: inter-device move failed: `/var/lib/dhclient/ntp.conf.predhclient.eth0' to `/etc/ntp.conf'; unable to remove target: Permission denied
                                                           [  OK  ]
Shutting down loopback interface:                          [  OK  ]
Bringing up loopback interface:                            [  OK  ]
Bringing up interface eth0:
Determining IP information for eth0...mv: cannot create regular file `/var/lib/dhclient/resolv.conf.predhclient.eth0': Permission denied
mv: cannot create regular file `/var/lib/dhclient/ntp.conf.predhclient.eth0': Permission denied
/sbin/dhclient-script: line 407: /var/lib/dhclient/ntp.conf.predhclient.eth0: No such file or directory
 done.
                                                           [  OK  ]

--- Additional comment from chepkov on 2009-04-22 07:33:45 EDT ---

File didn't get removed though, but it has other issue now:

# tail /etc/ntp.conf

server 10.10.10.1  # added by /sbin/dhclient-script
server 10.10.10.1  # added by /sbin/dhclient-script

It keeps adding the same server after each restart.

--- Additional comment from dcantrell on 2009-04-22 15:55:29 EDT ---

dhclient is a subpackage of dhcp.  The entire upstream product is ISC dhcp, which has dhcpd (DHCP server), dhcrelay (DHCP relay agent), and dhclient (DHCP client), along with some other things.  Since it's very common for people to only want the DHCP client software, it is packaged in the 'dhclient' subpackage of the dhcp package.

It looks like a couple of things are happening here.  Thanks for the feedback.  What does 'getenforce' report on your system?

(I am going to be out of town from Apr 23 - Apr 26, so I'll probably look at this problem in detail when I get back.)

--- Additional comment from chepkov on 2009-04-22 19:54:03 EDT ---

# getenforce
Enforcing

--- Additional comment from europe110 on 2009-05-05 05:49:53 EDT ---

Hi David, thanks for the good work.

I am having the same problem and have now installed dhclient-4.0.0-34.fc10.i386
from the test repository with no luck.

Mine is an interesting test case:  a few days ago I booted from a newly downloaded and created Fedora 10 live CD.  The network worked perfectly.  Then I chose the option to install to the harddrive.  After installing and rebooting I faced the above issue.  I opened a terminal window and used yum to update all packages to the latest versions, but still the same issue.

Running Fedora from the live CD still gives me a working network.

My conclusion is that the only difference between running from Live CD and my harddrive is the login account.  Running from the live CD the default login account perhaps has greater privileges or is the member of a necessary group.

If possible I would suggest you can easily replicate these 2 environments using the latest live install ISO. Alternately boot from CD and harddrive and play spot the difference.

Let me know if you need further information or I can help with specific tests.

--- Additional comment from chepkov on 2009-06-10 12:25:37 EDT ---

Just installed Fedora 11, same issue

dhclient-4.1.0-20.fc11.i586

type=SYSCALL msg=audit(1244650795.070:21): arch=40000003 syscall=5 success=no exit=-13 a0=bfb13d92 a1=80c1 a2=180 a3=b800d694 items=0 ppid=1815 pid=1836 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="mv" exe="/bin/mv" subj=unconfined_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1244650795.070:21): avc:  denied  { create } for  pid=1836 comm="mv" name="resolv.conf.predhclient.eth0" scontext=unconfined_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file

--- Additional comment from updates on 2009-06-26 23:01:37 EDT ---

dhcp-4.0.0-36.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/dhcp-4.0.0-36.fc10

--- Additional comment from alanh on 2009-06-26 23:36:21 EDT ---

I'm also getting dhcp SELINUX errors.

type=AVC msg=audit(1246071567.086:103): avc:  denied  { open } for  pid=15377 comm="domainname" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
type=SYSCALL msg=audit(1246071567.086:103): arch=c000003e syscall=2 success=yes exit=0 a0=7fff69ee7250 a1=0 a2=7fff69ee725c a3=7fff69ee7000 items=0 ppid=15364 pid=15377 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="domainname" exe="/bin/hostname" subj=system_u:system_r:hostname_t:s0 key=(null)
type=AVC msg=audit(1246071567.093:104): avc:  denied  { read } for  pid=15380 comm="mv" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
type=AVC msg=audit(1246071567.093:104): avc:  denied  { open } for  pid=15380 comm="mv" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
type=SYSCALL msg=audit(1246071567.093:104): arch=c000003e syscall=2 success=yes exit=0 a0=7fffb8ad1e50 a1=0 a2=7fffb8ad1e5c a3=7fffb8ad1c00 items=0 ppid=15364 pid=15380 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mv" exe="/bin/mv" subj=system_u:system_r:dhcpc_t:s0 key=(null)

--- Additional comment from dcantrell on 2009-06-27 06:12:38 EDT ---

dhcp-4.1.0-22.fc11 is available in F-11 updates-testing to address these issues.  dhcp-4.0.0-36.fc10 is available in F-10 updates-testing to address these issues.

The original issue reported refers to the SELinux errors for the /bin/mv command, so that's what these updates clear up.  You may or may not still see the hostname denial (I am working on this as a separate issue).

Other denials that appear when you do an ifup or 'service network start' are not under dhcp's control.  Commands such as domainname and ifconfig are executed by other scripts, so it will fall under the responsibility of another package.

If you try the F-11 or F-10 update for this bug, please check /var/log/messages to see that the /bin/mv denials for dhcp are gone.  If they are, please comment on the update here and indicate whether or not it worked for you:

For F-10:
https://admin.fedoraproject.org/updates/dhcp-4.0.0-36.fc10

For F-11:
https://admin.fedoraproject.org/updates/dhcp-4.1.0-22.fc11

Thanks.

--- Additional comment from alanh on 2009-06-27 13:55:16 EDT ---

No, I'm still seeing it with dhclient-4.1.0-22.fc11.x86_64 installed.  I installed and rebooted, but I get this on every dhcp renewal:

type=AVC msg=audit(1246122931.111:38): avc:  denied  { read } for  pid=3829 comm="domainname" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
type=AVC msg=audit(1246122931.111:38): avc:  denied  { open } for  pid=3829 comm="domainname" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
type=SYSCALL msg=audit(1246122931.111:38): arch=c000003e syscall=2 success=yes exit=0 a0=7ffff07500f0 a1=0 a2=7ffff07500fc a3=7ffff074fea0 items=0 ppid=3816 pid=3829 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="domainname" exe="/bin/hostname" subj=system_u:system_r:hostname_t:s0 key=(null)
type=AVC msg=audit(1246122931.115:39): avc:  denied  { read } for  pid=3830 comm="mv" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
type=AVC msg=audit(1246122931.115:39): avc:  denied  { open } for  pid=3830 comm="mv" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
type=SYSCALL msg=audit(1246122931.115:39): arch=c000003e syscall=2 success=yes exit=0 a0=7fff8f094550 a1=0 a2=7fff8f09455c a3=7fff8f094300 items=0 ppid=3816 pid=3830 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mv" exe="/bin/mv" subj=system_u:system_r:dhcpc_t:s0 key=(null)

--- Additional comment from dcantrell on 2009-06-30 16:32:22 EDT ---

Alan,

Do you have ypbind installed?

--- Additional comment from updates on 2009-06-30 17:32:42 EDT ---

dhcp-4.1.0-22.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update dhcp'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-7128

--- Additional comment from alanh on 2009-07-01 08:34:21 EDT ---

Good call. Yes, I did have ypbind installed.  I tried removing it, and the selinux errors stopped.

--- Additional comment from dcantrell on 2009-07-01 15:30:03 EDT ---

(In reply to comment #14)
> No, I'm still seeing it with dhclient-4.1.0-22.fc11.x86_64 installed.  I
> installed and rebooted, but I get this on every dhcp renewal:
> 
> type=AVC msg=audit(1246122931.111:38): avc:  denied  { read } for  pid=3829
> comm="domainname" name="mls" dev=selinuxfs ino=12
> scontext=system_u:system_r:hostname_t:s0
> tcontext=system_u:object_r:security_t:s0 tclass=file
> type=AVC msg=audit(1246122931.111:38): avc:  denied  { open } for  pid=3829
> comm="domainname" name="mls" dev=selinuxfs ino=12
> scontext=system_u:system_r:hostname_t:s0
> tcontext=system_u:object_r:security_t:s0 tclass=file

I think domainname is also run by the nis.sh helper script (see below).

> type=SYSCALL msg=audit(1246122931.111:38): arch=c000003e syscall=2 success=yes
> exit=0 a0=7ffff07500f0 a1=0 a2=7ffff07500fc a3=7ffff074fea0 items=0 ppid=3816
> pid=3829 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="domainname" exe="/bin/hostname"
> subj=system_u:system_r:hostname_t:s0 key=(null)

This is fixed in a recent selinux-policy update.

> type=AVC msg=audit(1246122931.115:39): avc:  denied  { read } for  pid=3830
> comm="mv" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:dhcpc_t:s0
> tcontext=system_u:object_r:security_t:s0 tclass=file
> type=AVC msg=audit(1246122931.115:39): avc:  denied  { open } for  pid=3830
> comm="mv" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:dhcpc_t:s0
> tcontext=system_u:object_r:security_t:s0 tclass=file
> type=SYSCALL msg=audit(1246122931.115:39): arch=c000003e syscall=2 success=yes
> exit=0 a0=7fff8f094550 a1=0 a2=7fff8f09455c a3=7fff8f094300 items=0 ppid=3816
> pid=3830 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="mv" exe="/bin/mv"
> subj=system_u:system_r:dhcpc_t:s0 key=(null)  

Since you have ypbind installed, you have /etc/dhcp/dhclient.d/nis.sh, which is the helper script to handle NIS options for dhclient-script.  This helper script is running 'mv'.  It needs to be updated to not use mv, but rather cp with a context preserve -or- it can do what ntp.sh and dhclient-script do and read in the contents of the file to move to a variable and echo it out to the file you want to move it to.

The domainname AVC message will probably require an selinux policy change.

A new bug should be opened for ypbind that details this problem.

Comment 1 Bug Zapper 2009-11-16 10:35:24 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 2 Tomasz Kepczynski 2009-11-20 11:26:02 UTC

I can confirm the problem with domainname in F12 with:
dhclient-4.1.0p1-13.fc12.x86_64
selinux-policy-targeted-3.6.32-41.fc12.noarch
What surprised me was that the problem didn't go away when I set selinux to permissive...

Comment 3 Tomasz Kepczynski 2009-11-20 13:28:51 UTC

Now I am puzzled. The problem with setting domainname from dhclient seems to only exist on x86_64 architecture, i686 seems to be working fine...

Comment 4 rwhalb 2009-11-30 03:13:31 UTC

System: F12 - 2.6.31.5-127.fc12.x86_64

I use a custom 'dhclient-exit-hooks' script that is called by the '/sbin/dhclient-script'. The 'dhclient-exit-hooks' script calls: "domainname" to set the domain. When 'dhclient-exit-hooks' is run by a network service start I get the following permission error: 

domainname: you must be root to change the domain name

I have selinux disabled:

[root@probe-eth0 tmp]# sestatus
SELinux status:                 disabled
[root@probe-eth0 tmp]# getenforce
Disabled

Snippet for and strace:

14009 write(2, "Setting domainname to `rwh.shop'"..., 33) = 33
14009 setdomainname("rwh.shop", 8)      = -1 EPERM (Operation not permitted)
14009 write(2, "domainname: you must be root to "..., 55) = 55

If I run '/sbin/dhclient-script' from the command line as user 'root' which calls 'dhclient-exit-hooks' I can set the domainname without issue.

The problem occurs when it is called from the 'network' service (which is run as root). In my case eth0 is configured for DHCP.

service network restart

[root@probe-eth0 tmp]# service network restart
Shutting down interface eth0:                              [  OK  ]
Shutting down loopback interface:                          [  OK  ]
Bringing up loopback interface:                            [  OK  ]
Bringing up interface eth0:
Determining IP information for eth0...Setting domainname to `rwh.shop'
domainname: you must be root to change the domain name
 done.
                                                           [  OK  ]
[root@probe-eth0 tmp]#

So I have selinux disabled and seeing this permission problem - strange?

I did some looking at the glibc source and found this call:

  /* Test for appropriate rights to set host ID.  */
  if (__libc_enable_secure)
    {
      __set_errno (EPERM);
      return -1;
    }

Is it possible that '__libc_enable_secure' is not set properly when the library is dynamically linked in?

Comment 5 Karel Klíč 2010-04-15 15:21:36 UTC

Hi rwhalb, can you, please, open another bug about your problem with setting the domainname? It does not seem like a problem with SELinux+ypbind, but unfortunately I am not sure where it belongs. 

I changed the nis.sh script to use cp with context preserve instead of mv. The change is in ypbind-1.20.4-23.

The next step is to update the SELinux policy so that /etc/dhcp/dhclient.d/nis.sh can run domainname, right?

Comment 6 Fedora Update System 2010-05-19 15:05:41 UTC

ypbind-1.31-3.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/ypbind-1.31-3.fc13

Comment 7 Fedora Update System 2010-05-19 15:07:39 UTC

ypbind-1.20.4-24.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/ypbind-1.20.4-24.fc12

Comment 8 Fedora Update System 2010-05-20 18:47:17 UTC

ypbind-1.31-3.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update ypbind'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/ypbind-1.31-3.fc13

Comment 9 Fedora Update System 2010-06-02 18:04:28 UTC

ypbind-1.20.4-24.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2010-06-02 18:07:59 UTC

ypbind-1.31-3.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.