737571 – SELinux is preventing dhcpd setgid/setuid access

Bug 737571 - SELinux is preventing dhcpd setgid/setuid access

Summary: SELinux is preventing dhcpd setgid/setuid access

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.1
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	743440 (view as bug list)
Depends On:
Blocks:	693381
TreeView+	depends on / blocked

Reported:	2011-09-12 15:09 UTC by Jiri Popelka
Modified:	2012-10-16 11:44 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.7.19-112.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-12-06 10:18:39 UTC
Target Upstream Version:

Attachments	(Terms of Use)
SELinux alert (4.61 KB, text/plain) 2011-09-12 15:09 UTC, Jiri Popelka	no flags	Details
SELinux is preventing /usr/sbin/dhcpd "read"/"write" access on dhcpd.pid. (4.99 KB, text/plain) 2011-09-13 12:35 UTC, Jiri Popelka	no flags	Details
SELinux is preventing /usr/sbin/dhcpd "name_bind" access on <Unknown>. (2.51 KB, text/plain) 2011-09-13 12:37 UTC, Jiri Popelka	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:1511	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2011-12-06 00:39:17 UTC

Description Jiri Popelka 2011-09-12 15:09:11 UTC

Created attachment 522720 [details]
SELinux alert

Hi,

I'm de-rooting dhcpd (bug #693381).
The fix is in changing effective user/group ID in the code.
When I then run dhcpd from command line everything is fine but when running as service (service dhcpd start) SELinux prevents dhcpd from setgid/setuid.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-93.el6.noarch

Comment 1 Daniel Walsh 2011-09-12 18:44:24 UTC

We have this in F16 so I think we should back port.

Comment 2 Jiri Popelka 2011-09-13 12:35:40 UTC

Created attachment 522918 [details]
SELinux is preventing /usr/sbin/dhcpd "read"/"write" access on dhcpd.pid.

During testing I've discovered some other alerts I haven't seen before.

Comment 3 Jiri Popelka 2011-09-13 12:37:49 UTC

Created attachment 522919 [details]
SELinux is preventing /usr/sbin/dhcpd "name_bind" access on <Unknown>.

And this one. Not sure what does it mean. I see it when running two dhcpd servers in failover pair.

Comment 4 Miroslav Grepl 2011-09-13 12:43:05 UTC

(In reply to comment #2)
> Created attachment 522918 [details]
> SELinux is preventing /usr/sbin/dhcpd "read"/"write" access on dhcpd.pid.
> 
> During testing I've discovered some other alerts I haven't seen before.

Have you ever started dhcpd by hand?

/var/run/dhcpd.pid is mislabeled.

Comment 5 Jiri Popelka 2011-09-13 13:12:55 UTC

(In reply to comment #4)
> (In reply to comment #2)
> > Created attachment 522918 [details]
> > SELinux is preventing /usr/sbin/dhcpd "read"/"write" access on dhcpd.pid.
> > 
> > During testing I've discovered some other alerts I haven't seen before.
> 
> Have you ever started dhcpd by hand?
> 
> /var/run/dhcpd.pid is mislabeled.

Yes, that's the problem. So this one is out. Thanks.

Comment 6 Jiri Popelka 2011-09-13 13:46:56 UTC

(In reply to comment #3)
> Created attachment 522919 [details]
> SELinux is preventing /usr/sbin/dhcpd "name_bind" access on <Unknown>.
> 
> And this one. Not sure what does it mean. I see it when running two dhcpd
> servers in failover pair.

And this one has turned out to be a user error.
I was using wrong ports for the failover protocol.

Comment 10 Miroslav Grepl 2011-10-25 07:51:44 UTC

*** Bug 743440 has been marked as a duplicate of this bug. ***

Comment 11 Jiri Popelka 2011-10-26 13:31:10 UTC

There's one more serious problem.
See bug #693381, comment #17.

When dhcpd starts it writes /var/lib/dhcpd/dhcpd.leases as root:root, then de-roots itself and runs as dhcpd:dhcpd. I changed the ownership of /var/lib/dhcpd/ to dhcpd:dhcpd so dhcpd is able to write leases there as dhcpd:dhcpd.
Problem is that SELinux doesn't allow dhcpd to make the initial record as root:root.

Comment 12 Miroslav Grepl 2011-10-26 13:36:02 UTC

Yes, since dac_override is needed in this case.

Comment 13 Miroslav Grepl 2011-10-26 14:02:53 UTC

Added to selinux-policy-3.7.19-120.el6

Comment 14 errata-xmlrpc 2011-12-06 10:18:39 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html

Note You need to log in before you can comment on or make changes to this bug.