Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 737571

Summary: SELinux is preventing dhcpd setgid/setuid access
Product: Red Hat Enterprise Linux 6 Reporter: Jiri Popelka <jpopelka>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: dwalsh, jbastian, ksrot, mganisin, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-112.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 10:18:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 693381    
Attachments:
Description Flags
SELinux alert
none
SELinux is preventing /usr/sbin/dhcpd "read"/"write" access on dhcpd.pid.
none
SELinux is preventing /usr/sbin/dhcpd "name_bind" access on <Unknown>. none

Description Jiri Popelka 2011-09-12 15:09:11 UTC 
Created attachment 522720 [details]
SELinux alert

Hi,

I'm de-rooting dhcpd (bug #693381).
The fix is in changing effective user/group ID in the code.
When I then run dhcpd from command line everything is fine but when running as service (service dhcpd start) SELinux prevents dhcpd from setgid/setuid.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-93.el6.noarch
Comment 1 Daniel Walsh 2011-09-12 18:44:24 UTC 
We have this in F16 so I think we should back port.
Comment 2 Jiri Popelka 2011-09-13 12:35:40 UTC 
Created attachment 522918 [details]
SELinux is preventing /usr/sbin/dhcpd "read"/"write" access on dhcpd.pid.

During testing I've discovered some other alerts I haven't seen before.
Comment 3 Jiri Popelka 2011-09-13 12:37:49 UTC 
Created attachment 522919 [details]
SELinux is preventing /usr/sbin/dhcpd "name_bind" access on <Unknown>.

And this one. Not sure what does it mean. I see it when running two dhcpd servers in failover pair.
Comment 4 Miroslav Grepl 2011-09-13 12:43:05 UTC 
(In reply to comment #2)
> Created attachment 522918 [details]
> SELinux is preventing /usr/sbin/dhcpd "read"/"write" access on dhcpd.pid.
> 
> During testing I've discovered some other alerts I haven't seen before.

Have you ever started dhcpd by hand?

/var/run/dhcpd.pid is mislabeled.
Comment 5 Jiri Popelka 2011-09-13 13:12:55 UTC 
(In reply to comment #4)
> (In reply to comment #2)
> > Created attachment 522918 [details]
> > SELinux is preventing /usr/sbin/dhcpd "read"/"write" access on dhcpd.pid.
> > 
> > During testing I've discovered some other alerts I haven't seen before.
> 
> Have you ever started dhcpd by hand?
> 
> /var/run/dhcpd.pid is mislabeled.

Yes, that's the problem. So this one is out. Thanks.
Comment 6 Jiri Popelka 2011-09-13 13:46:56 UTC 
(In reply to comment #3)
> Created attachment 522919 [details]
> SELinux is preventing /usr/sbin/dhcpd "name_bind" access on <Unknown>.
> 
> And this one. Not sure what does it mean. I see it when running two dhcpd
> servers in failover pair.

And this one has turned out to be a user error.
I was using wrong ports for the failover protocol.
Comment 10 Miroslav Grepl 2011-10-25 07:51:44 UTC 
*** Bug 743440 has been marked as a duplicate of this bug. ***
Comment 11 Jiri Popelka 2011-10-26 13:31:10 UTC 
There's one more serious problem.
See bug #693381, comment #17.

When dhcpd starts it writes /var/lib/dhcpd/dhcpd.leases as root:root, then de-roots itself and runs as dhcpd:dhcpd. I changed the ownership of /var/lib/dhcpd/ to dhcpd:dhcpd so dhcpd is able to write leases there as dhcpd:dhcpd.
Problem is that SELinux doesn't allow dhcpd to make the initial record as root:root.
Comment 12 Miroslav Grepl 2011-10-26 13:36:02 UTC 
Yes, since dac_override is needed in this case.
Comment 13 Miroslav Grepl 2011-10-26 14:02:53 UTC 
Added to selinux-policy-3.7.19-120.el6
Comment 14 errata-xmlrpc 2011-12-06 10:18:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html