8:10 p.m.
Dear fellow selinux experts,
I am trying to make one of my machines a dhcp server to connect other machines to the
internet, see thread in Fedora list if applicable, I have achieved a breakthrough, but
selinux denies it :(
[root@localhost ~]# dhcpd -f
Internet Systems Consortium DHCP Server 4.0.0
Copyright 2004-2007 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
Warning: subnet 10.154.19.0/27 overlaps subnet 10.154.19.0/24
Not searching LDAP since ldap-server, ldap-port and ldap-base-dn were not specified in the
config file
Wrote 0 leases to leases file.
Listening on LPF/eth0/00:0e:a6:42:59:af/10.154.19.0/24
Sending on LPF/eth0/00:0e:a6:42:59:af/10.154.19.0/24
Sending on Socket/fallback/fallback-net
^C
[root@localhost ~]# service dhcpd stop
[root@localhost ~]# service dhcpd start
Starting dhcpd: [ OK ]
but now selinux gets in the way :(
Nov 14 20:03:40 localhost kernel: type=1400 audit(1226714620.135:183): avc: denied {
read } for pid=5267 comm="dhcpd" name="dhcpd.pid" dev=dm-0
ino=3244731 scontext=unconfined_u:system_r:dhcpd_t:s0
tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
Nov 14 20:03:40 localhost kernel: type=1400 audit(1226714620.135:184): avc: denied {
write } for pid=5267 comm="dhcpd" name="dhcpd.pid" dev=dm-0
ino=3244731scontext=unconfined_u:system_r:dhcpd_t:s0
tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
Nov 14 20:03:40 localhost dhcpd: Can't create PID file /var/run/dhcpd.pid: Permission
denied.
How can I allow it to work?
Setroubleshoot has not kicked in to warn me so I do not know a fix as of this moment :(
Regards,
Antonio
2:54 a.m.
On Fri, 14 Nov 2008 18:10:16 -0800 (PST)
Antonio Olivares <olivares14031(a)yahoo.com> wrote:
Dear fellow selinux experts,
I am trying to make one of my machines a dhcp server to connect other
machines to the internet, see thread in Fedora list if applicable, I
have achieved a breakthrough, but selinux denies it :(
[root@localhost ~]# dhcpd -f
Internet Systems Consortium DHCP Server 4.0.0
Copyright 2004-2007 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
Warning: subnet 10.154.19.0/27 overlaps subnet 10.154.19.0/24
Not searching LDAP since ldap-server, ldap-port and ldap-base-dn were
not specified in the config file Wrote 0 leases to leases file.
Listening on LPF/eth0/00:0e:a6:42:59:af/10.154.19.0/24
Sending on LPF/eth0/00:0e:a6:42:59:af/10.154.19.0/24
Sending on Socket/fallback/fallback-net
^C
[root@localhost ~]# service dhcpd stop
[root@localhost ~]# service dhcpd start
Starting dhcpd: [ OK ]
but now selinux gets in the way :(
Nov 14 20:03:40 localhost kernel: type=1400
audit(1226714620.135:183): avc: denied { read } for pid=5267
comm="dhcpd" name="dhcpd.pid" dev=dm-0 ino=3244731
scontext=unconfined_u:system_r:dhcpd_t:s0
tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file Nov 14
20:03:40 localhost kernel: type=1400 audit(1226714620.135:184): avc:
denied { write } for pid=5267 comm="dhcpd" name="dhcpd.pid"
dev=dm-0 ino=3244731scontext=unconfined_u:system_r:dhcpd_t:s0
tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file Nov 14
20:03:40 localhost dhcpd: Can't create PID file /var/run/dhcpd.pid:
Permission denied.
How can I allow it to work?
Setroubleshoot has not kicked in to warn me so I do not know a fix as
of this moment :(
/var/run/dhcpd.pid should be dhcpd_var_run_t, not var_run_t.
Try:
# restorecon -v /var/run /var/run/dhcpd.pid
Paul.
8:44 a.m.
--- On Sat, 11/15/08, Paul Howarth <paul(a)city-fan.org> wrote:
From: Paul Howarth <paul(a)city-fan.org>
Subject: Re: avc: denied { write } for pid=5267 comm="dhcpd"
name="dhcpd.pid"
To: olivares14031(a)yahoo.com
Cc: fedora-selinux-list(a)redhat.com
Date: Saturday, November 15, 2008, 12:54 AM
On Fri, 14 Nov 2008 18:10:16 -0800 (PST)
Antonio Olivares <olivares14031(a)yahoo.com> wrote:
> Dear fellow selinux experts,
>
> I am trying to make one of my machines a dhcp server
to connect other
> machines to the internet, see thread in Fedora list if
applicable, I
> have achieved a breakthrough, but selinux denies it :(
>
> [root@localhost ~]# dhcpd -f
> Internet Systems Consortium DHCP Server 4.0.0
> Copyright 2004-2007 Internet Systems Consortium.
> All rights reserved.
> For info, please visit http://www.isc.org/sw/dhcp/
> Warning: subnet 10.154.19.0/27 overlaps subnet
10.154.19.0/24
> Not searching LDAP since ldap-server, ldap-port and
ldap-base-dn were
> not specified in the config file Wrote 0 leases to
leases file.
> Listening on LPF/eth0/00:0e:a6:42:59:af/10.154.19.0/24
> Sending on LPF/eth0/00:0e:a6:42:59:af/10.154.19.0/24
> Sending on Socket/fallback/fallback-net
> ^C
> [root@localhost ~]# service dhcpd stop
> [root@localhost ~]# service dhcpd start
> Starting dhcpd:
[ OK ]
>
>
> but now selinux gets in the way :(
>
> Nov 14 20:03:40 localhost kernel: type=1400
> audit(1226714620.135:183): avc: denied { read } for
pid=5267
> comm="dhcpd" name="dhcpd.pid"
dev=dm-0 ino=3244731
> scontext=unconfined_u:system_r:dhcpd_t:s0
> tcontext=unconfined_u:object_r:var_run_t:s0
tclass=file Nov 14
> 20:03:40 localhost kernel: type=1400
audit(1226714620.135:184): avc:
> denied { write } for pid=5267 comm="dhcpd"
name="dhcpd.pid"
> dev=dm-0
ino=3244731scontext=unconfined_u:system_r:dhcpd_t:s0
> tcontext=unconfined_u:object_r:var_run_t:s0
tclass=file Nov 14
> 20:03:40 localhost dhcpd: Can't create PID file
/var/run/dhcpd.pid:
> Permission denied.
>
> How can I allow it to work?
>
> Setroubleshoot has not kicked in to warn me so I do
not know a fix as
> of this moment :(
/var/run/dhcpd.pid should be dhcpd_var_run_t, not
var_run_t.
Try:
# restorecon -v /var/run /var/run/dhcpd.pid
Paul.
Thanks, I will try that later today.
Regards,
Antonio
4:22 p.m.
/var/run/dhcpd.pid should be dhcpd_var_run_t, not
var_run_t.
Try:
# restorecon -v /var/run /var/run/dhcpd.pid
Paul.
Tried that several times and now I get :
Nov 17 16:18:15 localhost kernel: type=1400 audit(1226960295.233:8): avc: denied { read
write } for pid=11094 comm="restorecon" path="socket:[12486]"
dev=sockfs ino=12486 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Thank you very much for helping :)
Regards,
Antonio
4:25 p.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Antonio Olivares wrote:
> /var/run/dhcpd.pid should be dhcpd_var_run_t, not
> var_run_t.
>
> Try:
> # restorecon -v /var/run /var/run/dhcpd.pid
>
> Paul.
Tried that several times and now I get :
Nov 17 16:18:15 localhost kernel: type=1400 audit(1226960295.233:8): avc: denied { read
write } for pid=11094 comm="restorecon" path="socket:[12486]"
dev=sockfs ino=12486 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Thank you very much for helping :)
Regards,
Antonio
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
That looks like a
leaked file descriptor. Are you using a konsole?
kde has a known leak.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkkh70QACgkQrlYvE4MpobNCvQCfZk4LO2bqX3rb4dtM4v/v6k3L
1NgAnjzKVXC8Og/LQzZ7RKsvZ9ikOpx8
=aMwo
-----END PGP SIGNATURE-----
4:27 p.m.
--- On Mon, 11/17/08, Daniel J Walsh <dwalsh(a)redhat.com> wrote:
From: Daniel J Walsh <dwalsh(a)redhat.com>
Subject: Re: avc: denied { write } for pid=5267 comm="dhcpd"
name="dhcpd.pid"
To: olivares14031(a)yahoo.com
Cc: "Paul Howarth" <paul(a)city-fan.org>, fedora-selinux-list(a)redhat.com
Date: Monday, November 17, 2008, 2:25 PM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Antonio Olivares wrote:
>> /var/run/dhcpd.pid should be dhcpd_var_run_t, not
>> var_run_t.
>>
>> Try:
>> # restorecon -v /var/run /var/run/dhcpd.pid
>>
>> Paul.
>
> Tried that several times and now I get :
>
> Nov 17 16:18:15 localhost kernel: type=1400
audit(1226960295.233:8): avc: denied { read write } for
pid=11094 comm="restorecon"
path="socket:[12486]" dev=sockfs ino=12486
scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=unix_stream_socket
>
>
>
>
> Thank you very much for helping :)
>
> Regards,
>
>
> Antonio
>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
That looks like a leaked file descriptor. Are you using a
konsole?
Yes and working on KDE
kde has a known leak.
Thanks,
Antonio
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org
iEYEARECAAYFAkkh70QACgkQrlYvE4MpobNCvQCfZk4LO2bqX3rb4dtM4v/v6k3L
1NgAnjzKVXC8Og/LQzZ7RKsvZ9ikOpx8
=aMwo
-----END PGP SIGNATURE-----
5638
days inactive
5640
days old
selinux@lists.fedoraproject.org
5 comments
3 participants
participants (3)
-
Antonio Olivares -
Daniel J Walsh -
Paul Howarth