Dear fellow selinux experts,
I am trying to make one of my machines a dhcp server to connect other machines to the internet, see thread in Fedora list if applicable, I have achieved a breakthrough, but selinux denies it :(
[root@localhost ~]# dhcpd -f Internet Systems Consortium DHCP Server 4.0.0 Copyright 2004-2007 Internet Systems Consortium. All rights reserved. For info, please visit http://www.isc.org/sw/dhcp/ Warning: subnet 10.154.19.0/27 overlaps subnet 10.154.19.0/24 Not searching LDAP since ldap-server, ldap-port and ldap-base-dn were not specified in the config file Wrote 0 leases to leases file. Listening on LPF/eth0/00:0e:a6:42:59:af/10.154.19.0/24 Sending on LPF/eth0/00:0e:a6:42:59:af/10.154.19.0/24 Sending on Socket/fallback/fallback-net ^C [root@localhost ~]# service dhcpd stop [root@localhost ~]# service dhcpd start Starting dhcpd: [ OK ]
but now selinux gets in the way :(
Nov 14 20:03:40 localhost kernel: type=1400 audit(1226714620.135:183): avc: denied { read } for pid=5267 comm="dhcpd" name="dhcpd.pid" dev=dm-0 ino=3244731 scontext=unconfined_u:system_r:dhcpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file Nov 14 20:03:40 localhost kernel: type=1400 audit(1226714620.135:184): avc: denied { write } for pid=5267 comm="dhcpd" name="dhcpd.pid" dev=dm-0 ino=3244731scontext=unconfined_u:system_r:dhcpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file Nov 14 20:03:40 localhost dhcpd: Can't create PID file /var/run/dhcpd.pid: Permission denied.
How can I allow it to work?
Setroubleshoot has not kicked in to warn me so I do not know a fix as of this moment :(
Regards,
Antonio
On Fri, 14 Nov 2008 18:10:16 -0800 (PST) Antonio Olivares olivares14031@yahoo.com wrote:
Dear fellow selinux experts,
I am trying to make one of my machines a dhcp server to connect other machines to the internet, see thread in Fedora list if applicable, I have achieved a breakthrough, but selinux denies it :(
[root@localhost ~]# dhcpd -f Internet Systems Consortium DHCP Server 4.0.0 Copyright 2004-2007 Internet Systems Consortium. All rights reserved. For info, please visit http://www.isc.org/sw/dhcp/ Warning: subnet 10.154.19.0/27 overlaps subnet 10.154.19.0/24 Not searching LDAP since ldap-server, ldap-port and ldap-base-dn were not specified in the config file Wrote 0 leases to leases file. Listening on LPF/eth0/00:0e:a6:42:59:af/10.154.19.0/24 Sending on LPF/eth0/00:0e:a6:42:59:af/10.154.19.0/24 Sending on Socket/fallback/fallback-net ^C [root@localhost ~]# service dhcpd stop [root@localhost ~]# service dhcpd start Starting dhcpd: [ OK ]
but now selinux gets in the way :(
Nov 14 20:03:40 localhost kernel: type=1400 audit(1226714620.135:183): avc: denied { read } for pid=5267 comm="dhcpd" name="dhcpd.pid" dev=dm-0 ino=3244731 scontext=unconfined_u:system_r:dhcpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file Nov 14 20:03:40 localhost kernel: type=1400 audit(1226714620.135:184): avc: denied { write } for pid=5267 comm="dhcpd" name="dhcpd.pid" dev=dm-0 ino=3244731scontext=unconfined_u:system_r:dhcpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file Nov 14 20:03:40 localhost dhcpd: Can't create PID file /var/run/dhcpd.pid: Permission denied.
How can I allow it to work?
Setroubleshoot has not kicked in to warn me so I do not know a fix as of this moment :(
/var/run/dhcpd.pid should be dhcpd_var_run_t, not var_run_t.
Try: # restorecon -v /var/run /var/run/dhcpd.pid
Paul.
--- On Sat, 11/15/08, Paul Howarth paul@city-fan.org wrote:
From: Paul Howarth paul@city-fan.org Subject: Re: avc: denied { write } for pid=5267 comm="dhcpd" name="dhcpd.pid" To: olivares14031@yahoo.com Cc: fedora-selinux-list@redhat.com Date: Saturday, November 15, 2008, 12:54 AM On Fri, 14 Nov 2008 18:10:16 -0800 (PST) Antonio Olivares olivares14031@yahoo.com wrote:
Dear fellow selinux experts,
I am trying to make one of my machines a dhcp server
to connect other
machines to the internet, see thread in Fedora list if
applicable, I
have achieved a breakthrough, but selinux denies it :(
[root@localhost ~]# dhcpd -f Internet Systems Consortium DHCP Server 4.0.0 Copyright 2004-2007 Internet Systems Consortium. All rights reserved. For info, please visit http://www.isc.org/sw/dhcp/ Warning: subnet 10.154.19.0/27 overlaps subnet
10.154.19.0/24
Not searching LDAP since ldap-server, ldap-port and
ldap-base-dn were
not specified in the config file Wrote 0 leases to
leases file.
Listening on LPF/eth0/00:0e:a6:42:59:af/10.154.19.0/24 Sending on LPF/eth0/00:0e:a6:42:59:af/10.154.19.0/24 Sending on Socket/fallback/fallback-net ^C [root@localhost ~]# service dhcpd stop [root@localhost ~]# service dhcpd start Starting dhcpd:
[ OK ]
but now selinux gets in the way :(
Nov 14 20:03:40 localhost kernel: type=1400 audit(1226714620.135:183): avc: denied { read } for
pid=5267
comm="dhcpd" name="dhcpd.pid"
dev=dm-0 ino=3244731
scontext=unconfined_u:system_r:dhcpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0
tclass=file Nov 14
20:03:40 localhost kernel: type=1400
audit(1226714620.135:184): avc:
denied { write } for pid=5267 comm="dhcpd"
name="dhcpd.pid"
dev=dm-0
ino=3244731scontext=unconfined_u:system_r:dhcpd_t:s0
tcontext=unconfined_u:object_r:var_run_t:s0
tclass=file Nov 14
20:03:40 localhost dhcpd: Can't create PID file
/var/run/dhcpd.pid:
Permission denied.
How can I allow it to work?
Setroubleshoot has not kicked in to warn me so I do
not know a fix as
of this moment :(
/var/run/dhcpd.pid should be dhcpd_var_run_t, not var_run_t.
Try: # restorecon -v /var/run /var/run/dhcpd.pid
Paul.
Thanks, I will try that later today.
Regards,
Antonio
/var/run/dhcpd.pid should be dhcpd_var_run_t, not var_run_t.
Try: # restorecon -v /var/run /var/run/dhcpd.pid
Paul.
Tried that several times and now I get :
Nov 17 16:18:15 localhost kernel: type=1400 audit(1226960295.233:8): avc: denied { read write } for pid=11094 comm="restorecon" path="socket:[12486]" dev=sockfs ino=12486 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Thank you very much for helping :)
Regards,
Antonio
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Antonio Olivares wrote:
/var/run/dhcpd.pid should be dhcpd_var_run_t, not var_run_t.
Try: # restorecon -v /var/run /var/run/dhcpd.pid
Paul.
Tried that several times and now I get :
Nov 17 16:18:15 localhost kernel: type=1400 audit(1226960295.233:8): avc: denied { read write } for pid=11094 comm="restorecon" path="socket:[12486]" dev=sockfs ino=12486 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Thank you very much for helping :)
Regards,
Antonio
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
That looks like a leaked file descriptor. Are you using a konsole?
kde has a known leak.
--- On Mon, 11/17/08, Daniel J Walsh dwalsh@redhat.com wrote:
From: Daniel J Walsh dwalsh@redhat.com Subject: Re: avc: denied { write } for pid=5267 comm="dhcpd" name="dhcpd.pid" To: olivares14031@yahoo.com Cc: "Paul Howarth" paul@city-fan.org, fedora-selinux-list@redhat.com Date: Monday, November 17, 2008, 2:25 PM -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Antonio Olivares wrote:
/var/run/dhcpd.pid should be dhcpd_var_run_t, not var_run_t.
Try: # restorecon -v /var/run /var/run/dhcpd.pid
Paul.
Tried that several times and now I get :
Nov 17 16:18:15 localhost kernel: type=1400
audit(1226960295.233:8): avc: denied { read write } for pid=11094 comm="restorecon" path="socket:[12486]" dev=sockfs ino=12486 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Thank you very much for helping :)
Regards,
Antonio
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list That looks like a leaked file descriptor. Are you using a konsole?
Yes and working on KDE
kde has a known leak. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkkh70QACgkQrlYvE4MpobNCvQCfZk4LO2bqX3rb4dtM4v/v6k3L 1NgAnjzKVXC8Og/LQzZ7RKsvZ9ikOpx8 =aMwo -----END PGP SIGNATURE-----
Thanks,
Antonio
selinux@lists.fedoraproject.org