Bug 714556 - SELinux is preventing /usr/sbin/dhcpd from 'write' accesses on the file dhcpd.pid.
Summary: SELinux is preventing /usr/sbin/dhcpd from 'write' accesses on the file dhcpd...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 15
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:36419af4ac4...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-06-20 04:46 UTC by Edgar Hoch
Modified: 2011-06-20 06:42 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-06-20 06:42:38 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Edgar Hoch 2011-06-20 04:46:28 UTC 
SELinux is preventing /usr/sbin/dhcpd from 'write' accesses on the file dhcpd.pid.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that dhcpd should be allowed write access on the dhcpd.pid file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep dhcpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:dhcpd_t:s0
Target Context                unconfined_u:object_r:var_run_t:s0
Target Objects                dhcpd.pid [ file ]
Source                        dhcpd
Source Path                   /usr/sbin/dhcpd
Port                          <Unbekannt>
Host                          (removed)
Source RPM Packages           dhcp-4.2.1-9.P1.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-26.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.38.7-30.fc15.x86_64 #1 SMP Fri
                              May 27 05:15:53 UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Mo 20 Jun 2011 06:41:05 CEST
Last Seen                     Mo 20 Jun 2011 06:41:05 CEST
Local ID                      d24c0ccf-68db-45dd-be5b-92846ea0a43f

Raw Audit Messages
type=AVC msg=audit(1308544865.537:8153): avc:  denied  { write } for  pid=22240 comm="dhcpd" name="dhcpd.pid" dev=tmpfs ino=2481946 scontext=system_u:system_r:dhcpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file


type=SYSCALL msg=audit(1308544865.537:8153): arch=x86_64 syscall=open success=no exit=EACCES a0=7f5674cec920 a1=80241 a2=1a4 a3=2 items=0 ppid=1 pid=22240 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=dhcpd exe=/usr/sbin/dhcpd subj=system_u:system_r:dhcpd_t:s0 key=(null)

Hash: dhcpd,dhcpd_t,var_run_t,file,write

audit2allow

#============= dhcpd_t ==============
allow dhcpd_t var_run_t:file write;

audit2allow -R

#============= dhcpd_t ==============
allow dhcpd_t var_run_t:file write;
Comment 1 Miroslav Grepl 2011-06-20 06:42:38 UTC 
It looks you have started dhcpd directly. 

It means without using service script. This caused the pid file was created with the wrong label since dhcpd was running in the wrong domain.

Execute

# restorecon -R -v /var/run/dhcp*

will fix.
Note You need to log in before you can comment on or make changes to this bug.