Bug 867291 - chown capability for dhcpd_t
Summary: chown capability for dhcpd_t
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 18
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 866714
TreeView+ depends on / blocked
 
Reported: 2012-10-17 09:01 UTC by Jiri Popelka
Modified: 2012-12-20 16:21 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
: 1082640 (view as bug list)
Environment:
Last Closed: 2012-12-20 16:20:59 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
AVC (2.21 KB, text/plain)
2012-10-17 09:01 UTC, Jiri Popelka 		no flags Details
View All

Description Jiri Popelka 2012-10-17 09:01:47 UTC 
Created attachment 628601 [details]
AVC

Hi,

would it be possible to have (F18+ would be sufficient) chown capability for dhcpd_t.

Reason:
dhcpd is de-rooting (changing effective user/group ID) itself during start, but before doing it it creates /var/lib/dhcpd/*.leases file. The leases file can't be created after de-rooting because of bug #765967.
In selinux-policy-3.10.0-72.fc16 dhcpd got dac_override to be able to create root:root owned files in /var/lib/dhcpd, which is owned by dhcpd:dhcpd.
Because we need the leases file to be also dhcpd:dhcpd owned the reporter of bug #866714 suggested to chown them after creating, which seems to work but we need to tweak the SELinux policy, see bug #866714, comment #11.
Comment 1 Bojan Smojver 2012-10-17 10:11:03 UTC 
Actually, shouldn't this be fixed in F-17? That is where the original bug is...
Comment 2 Jiri Popelka 2012-10-17 10:21:49 UTC 
I'd rather fix the original bug in F18+ only.
It's not so serious problem and I don't want to introduce some regression as the last time (bug #765967) I tried to fix it.
Comment 3 Miroslav Grepl 2012-10-17 14:33:39 UTC 
Added to -40.fc18
Comment 4 Bojan Smojver 2012-10-17 21:00:34 UTC 
(In reply to comment #2)
> I'd rather fix the original bug in F18+ only.
> It's not so serious problem and I don't want to introduce some regression as
> the last time (bug #765967) I tried to fix it.

Come on - be bold! Just pot it in testing and we'll see...
Comment 5 Bojan Smojver 2012-10-17 21:02:00 UTC 
(In reply to comment #4)
 
> Come on - be bold! Just pot it in testing and we'll see...

Sorry, typo. Put, not pot.
Comment 6 Jiri Popelka 2012-10-18 06:40:06 UTC 
Well, that depends on Miroslav. Mirku, is this viable also in F17 ?
Comment 7 Fedora Update System 2012-10-23 20:35:36 UTC 
selinux-policy-3.11.1-43.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-43.fc18
Comment 8 Fedora Update System 2012-10-26 15:38:30 UTC 
selinux-policy-3.11.1-46.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-46.fc18
Comment 9 Fedora Update System 2012-10-26 19:28:08 UTC 
Package selinux-policy-3.11.1-46.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-46.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-16862/selinux-policy-3.11.1-46.fc18
then log in and leave karma (feedback).
Comment 10 Fedora Update System 2012-12-20 16:21:01 UTC 
selinux-policy-3.11.1-46.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.