Bug 867291 - chown capability for dhcpd_t
chown capability for dhcpd_t
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
18
All Linux
unspecified Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 866714
  Show dependency treegraph
 
Reported: 2012-10-17 05:01 EDT by Jiri Popelka
Modified: 2012-12-20 11:21 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1082640 (view as bug list)
Environment:
Last Closed: 2012-12-20 11:20:59 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
AVC (2.21 KB, text/plain)
2012-10-17 05:01 EDT, Jiri Popelka
no flags Details

  None (edit)
Description Jiri Popelka 2012-10-17 05:01:47 EDT
Created attachment 628601 [details]
AVC

Hi,

would it be possible to have (F18+ would be sufficient) chown capability for dhcpd_t.

Reason:
dhcpd is de-rooting (changing effective user/group ID) itself during start, but before doing it it creates /var/lib/dhcpd/*.leases file. The leases file can't be created after de-rooting because of bug #765967.
In selinux-policy-3.10.0-72.fc16 dhcpd got dac_override to be able to create root:root owned files in /var/lib/dhcpd, which is owned by dhcpd:dhcpd.
Because we need the leases file to be also dhcpd:dhcpd owned the reporter of bug #866714 suggested to chown them after creating, which seems to work but we need to tweak the SELinux policy, see bug #866714, comment #11.
Comment 1 Bojan Smojver 2012-10-17 06:11:03 EDT
Actually, shouldn't this be fixed in F-17? That is where the original bug is...
Comment 2 Jiri Popelka 2012-10-17 06:21:49 EDT
I'd rather fix the original bug in F18+ only.
It's not so serious problem and I don't want to introduce some regression as the last time (bug #765967) I tried to fix it.
Comment 3 Miroslav Grepl 2012-10-17 10:33:39 EDT
Added to -40.fc18
Comment 4 Bojan Smojver 2012-10-17 17:00:34 EDT
(In reply to comment #2)
> I'd rather fix the original bug in F18+ only.
> It's not so serious problem and I don't want to introduce some regression as
> the last time (bug #765967) I tried to fix it.

Come on - be bold! Just pot it in testing and we'll see...
Comment 5 Bojan Smojver 2012-10-17 17:02:00 EDT
(In reply to comment #4)
 
> Come on - be bold! Just pot it in testing and we'll see...

Sorry, typo. Put, not pot.
Comment 6 Jiri Popelka 2012-10-18 02:40:06 EDT
Well, that depends on Miroslav. Mirku, is this viable also in F17 ?
Comment 7 Fedora Update System 2012-10-23 16:35:36 EDT
selinux-policy-3.11.1-43.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-43.fc18
Comment 8 Fedora Update System 2012-10-26 11:38:30 EDT
selinux-policy-3.11.1-46.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-46.fc18
Comment 9 Fedora Update System 2012-10-26 15:28:08 EDT
Package selinux-policy-3.11.1-46.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-46.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-16862/selinux-policy-3.11.1-46.fc18
then log in and leave karma (feedback).
Comment 10 Fedora Update System 2012-12-20 11:21:01 EST
selinux-policy-3.11.1-46.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.