Bug 737571 - SELinux is preventing dhcpd setgid/setuid access
Summary: SELinux is preventing dhcpd setgid/setuid access
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
: 743440 (view as bug list)
Depends On:
Blocks: 693381
TreeView+ depends on / blocked
 
Reported: 2011-09-12 15:09 UTC by Jiri Popelka
Modified: 2012-10-16 11:44 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.7.19-112.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-06 10:18:39 UTC


Attachments (Terms of Use)
SELinux alert (4.61 KB, text/plain)
2011-09-12 15:09 UTC, Jiri Popelka
no flags Details
SELinux is preventing /usr/sbin/dhcpd "read"/"write" access on dhcpd.pid. (4.99 KB, text/plain)
2011-09-13 12:35 UTC, Jiri Popelka
no flags Details
SELinux is preventing /usr/sbin/dhcpd "name_bind" access on <Unknown>. (2.51 KB, text/plain)
2011-09-13 12:37 UTC, Jiri Popelka
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1511 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-12-06 00:39:17 UTC

Description Jiri Popelka 2011-09-12 15:09:11 UTC
Created attachment 522720 [details]
SELinux alert

Hi,

I'm de-rooting dhcpd (bug #693381).
The fix is in changing effective user/group ID in the code.
When I then run dhcpd from command line everything is fine but when running as service (service dhcpd start) SELinux prevents dhcpd from setgid/setuid.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-93.el6.noarch

Comment 1 Daniel Walsh 2011-09-12 18:44:24 UTC
We have this in F16 so I think we should back port.

Comment 2 Jiri Popelka 2011-09-13 12:35:40 UTC
Created attachment 522918 [details]
SELinux is preventing /usr/sbin/dhcpd "read"/"write" access on dhcpd.pid.

During testing I've discovered some other alerts I haven't seen before.

Comment 3 Jiri Popelka 2011-09-13 12:37:49 UTC
Created attachment 522919 [details]
SELinux is preventing /usr/sbin/dhcpd "name_bind" access on <Unknown>.

And this one. Not sure what does it mean. I see it when running two dhcpd servers in failover pair.

Comment 4 Miroslav Grepl 2011-09-13 12:43:05 UTC
(In reply to comment #2)
> Created attachment 522918 [details]
> SELinux is preventing /usr/sbin/dhcpd "read"/"write" access on dhcpd.pid.
> 
> During testing I've discovered some other alerts I haven't seen before.

Have you ever started dhcpd by hand?

/var/run/dhcpd.pid is mislabeled.

Comment 5 Jiri Popelka 2011-09-13 13:12:55 UTC
(In reply to comment #4)
> (In reply to comment #2)
> > Created attachment 522918 [details]
> > SELinux is preventing /usr/sbin/dhcpd "read"/"write" access on dhcpd.pid.
> > 
> > During testing I've discovered some other alerts I haven't seen before.
> 
> Have you ever started dhcpd by hand?
> 
> /var/run/dhcpd.pid is mislabeled.

Yes, that's the problem. So this one is out. Thanks.

Comment 6 Jiri Popelka 2011-09-13 13:46:56 UTC
(In reply to comment #3)
> Created attachment 522919 [details]
> SELinux is preventing /usr/sbin/dhcpd "name_bind" access on <Unknown>.
> 
> And this one. Not sure what does it mean. I see it when running two dhcpd
> servers in failover pair.

And this one has turned out to be a user error.
I was using wrong ports for the failover protocol.

Comment 10 Miroslav Grepl 2011-10-25 07:51:44 UTC
*** Bug 743440 has been marked as a duplicate of this bug. ***

Comment 11 Jiri Popelka 2011-10-26 13:31:10 UTC
There's one more serious problem.
See bug #693381, comment #17.

When dhcpd starts it writes /var/lib/dhcpd/dhcpd.leases as root:root, then de-roots itself and runs as dhcpd:dhcpd. I changed the ownership of /var/lib/dhcpd/ to dhcpd:dhcpd so dhcpd is able to write leases there as dhcpd:dhcpd.
Problem is that SELinux doesn't allow dhcpd to make the initial record as root:root.

Comment 12 Miroslav Grepl 2011-10-26 13:36:02 UTC
Yes, since dac_override is needed in this case.

Comment 13 Miroslav Grepl 2011-10-26 14:02:53 UTC
Added to selinux-policy-3.7.19-120.el6

Comment 14 errata-xmlrpc 2011-12-06 10:18:39 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html


Note You need to log in before you can comment on or make changes to this bug.