Bug 737571 - SELinux is preventing dhcpd setgid/setuid access
SELinux is preventing dhcpd setgid/setuid access
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.1
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
: 743440 (view as bug list)
Depends On:
Blocks: 693381
  Show dependency treegraph
 
Reported: 2011-09-12 11:09 EDT by Jiri Popelka
Modified: 2012-10-16 07:44 EDT (History)
5 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-112.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-12-06 05:18:39 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
SELinux alert (4.61 KB, text/plain)
2011-09-12 11:09 EDT, Jiri Popelka
no flags Details
SELinux is preventing /usr/sbin/dhcpd "read"/"write" access on dhcpd.pid. (4.99 KB, text/plain)
2011-09-13 08:35 EDT, Jiri Popelka
no flags Details
SELinux is preventing /usr/sbin/dhcpd "name_bind" access on <Unknown>. (2.51 KB, text/plain)
2011-09-13 08:37 EDT, Jiri Popelka
no flags Details

  None (edit)
Description Jiri Popelka 2011-09-12 11:09:11 EDT
Created attachment 522720 [details]
SELinux alert

Hi,

I'm de-rooting dhcpd (bug #693381).
The fix is in changing effective user/group ID in the code.
When I then run dhcpd from command line everything is fine but when running as service (service dhcpd start) SELinux prevents dhcpd from setgid/setuid.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-93.el6.noarch
Comment 1 Daniel Walsh 2011-09-12 14:44:24 EDT
We have this in F16 so I think we should back port.
Comment 2 Jiri Popelka 2011-09-13 08:35:40 EDT
Created attachment 522918 [details]
SELinux is preventing /usr/sbin/dhcpd "read"/"write" access on dhcpd.pid.

During testing I've discovered some other alerts I haven't seen before.
Comment 3 Jiri Popelka 2011-09-13 08:37:49 EDT
Created attachment 522919 [details]
SELinux is preventing /usr/sbin/dhcpd "name_bind" access on <Unknown>.

And this one. Not sure what does it mean. I see it when running two dhcpd servers in failover pair.
Comment 4 Miroslav Grepl 2011-09-13 08:43:05 EDT
(In reply to comment #2)
> Created attachment 522918 [details]
> SELinux is preventing /usr/sbin/dhcpd "read"/"write" access on dhcpd.pid.
> 
> During testing I've discovered some other alerts I haven't seen before.

Have you ever started dhcpd by hand?

/var/run/dhcpd.pid is mislabeled.
Comment 5 Jiri Popelka 2011-09-13 09:12:55 EDT
(In reply to comment #4)
> (In reply to comment #2)
> > Created attachment 522918 [details]
> > SELinux is preventing /usr/sbin/dhcpd "read"/"write" access on dhcpd.pid.
> > 
> > During testing I've discovered some other alerts I haven't seen before.
> 
> Have you ever started dhcpd by hand?
> 
> /var/run/dhcpd.pid is mislabeled.

Yes, that's the problem. So this one is out. Thanks.
Comment 6 Jiri Popelka 2011-09-13 09:46:56 EDT
(In reply to comment #3)
> Created attachment 522919 [details]
> SELinux is preventing /usr/sbin/dhcpd "name_bind" access on <Unknown>.
> 
> And this one. Not sure what does it mean. I see it when running two dhcpd
> servers in failover pair.

And this one has turned out to be a user error.
I was using wrong ports for the failover protocol.
Comment 10 Miroslav Grepl 2011-10-25 03:51:44 EDT
*** Bug 743440 has been marked as a duplicate of this bug. ***
Comment 11 Jiri Popelka 2011-10-26 09:31:10 EDT
There's one more serious problem.
See bug #693381, comment #17.

When dhcpd starts it writes /var/lib/dhcpd/dhcpd.leases as root:root, then de-roots itself and runs as dhcpd:dhcpd. I changed the ownership of /var/lib/dhcpd/ to dhcpd:dhcpd so dhcpd is able to write leases there as dhcpd:dhcpd.
Problem is that SELinux doesn't allow dhcpd to make the initial record as root:root.
Comment 12 Miroslav Grepl 2011-10-26 09:36:02 EDT
Yes, since dac_override is needed in this case.
Comment 13 Miroslav Grepl 2011-10-26 10:02:53 EDT
Added to selinux-policy-3.7.19-120.el6
Comment 14 errata-xmlrpc 2011-12-06 05:18:39 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html

Note You need to log in before you can comment on or make changes to this bug.