From: Paul Howarth <paul(a)city-fan.org>
Subject: Re: avc: denied { write } for pid=5267 comm="dhcpd"
name="dhcpd.pid"
To: olivares14031(a)yahoo.com
Cc: fedora-selinux-list(a)redhat.com
Date: Saturday, November 15, 2008, 12:54 AM
On Fri, 14 Nov 2008 18:10:16 -0800 (PST)
Antonio Olivares <olivares14031(a)yahoo.com> wrote:
> Dear fellow selinux experts,
>
> I am trying to make one of my machines a dhcp server
to connect other
> machines to the internet, see thread in Fedora list if
applicable, I
> have achieved a breakthrough, but selinux denies it :(
>
> [root@localhost ~]# dhcpd -f
> Internet Systems Consortium DHCP Server 4.0.0
> Copyright 2004-2007 Internet Systems Consortium.
> All rights reserved.
> For info, please visit
http://www.isc.org/sw/dhcp/
> Warning: subnet 10.154.19.0/27 overlaps subnet
10.154.19.0/24
> Not searching LDAP since ldap-server, ldap-port and
ldap-base-dn were
> not specified in the config file Wrote 0 leases to
leases file.
> Listening on LPF/eth0/00:0e:a6:42:59:af/10.154.19.0/24
> Sending on LPF/eth0/00:0e:a6:42:59:af/10.154.19.0/24
> Sending on Socket/fallback/fallback-net
> ^C
> [root@localhost ~]# service dhcpd stop
> [root@localhost ~]# service dhcpd start
> Starting dhcpd:
[ OK ]
>
>
> but now selinux gets in the way :(
>
> Nov 14 20:03:40 localhost kernel: type=1400
> audit(1226714620.135:183): avc: denied { read } for
pid=5267
> comm="dhcpd" name="dhcpd.pid"
dev=dm-0 ino=3244731
> scontext=unconfined_u:system_r:dhcpd_t:s0
> tcontext=unconfined_u:object_r:var_run_t:s0
tclass=file Nov 14
> 20:03:40 localhost kernel: type=1400
audit(1226714620.135:184): avc:
> denied { write } for pid=5267 comm="dhcpd"
name="dhcpd.pid"
> dev=dm-0
ino=3244731scontext=unconfined_u:system_r:dhcpd_t:s0
> tcontext=unconfined_u:object_r:var_run_t:s0
tclass=file Nov 14
> 20:03:40 localhost dhcpd: Can't create PID file
/var/run/dhcpd.pid:
> Permission denied.
>
> How can I allow it to work?
>
> Setroubleshoot has not kicked in to warn me so I do
not know a fix as
> of this moment :(
/var/run/dhcpd.pid should be dhcpd_var_run_t, not
var_run_t.
Try:
# restorecon -v /var/run /var/run/dhcpd.pid
Paul.