dhcpd policy settings

dhcpd policy settings

[Junji Kanemaru]

Hi,

I have problem with dhcpd that it seems some recent policy update
has affected dhcpd runtime environment.
dhcpd gets avc permission error when dhcpd accesses to 
/var/lib/dhcpd.leases.  The dmesg says:

audit(1113209633.019:0): avc:  denied  { search } for  
pid=5585 exe=/usr/sbin/dhcpd name=lib dev=dm-0 ino=1409026 
scontext=root:system_r:dhcpd_t tcontext=system_u:object_r:home_root_t
tclass=dir

So I quick looked into policy setting and found there's a type setting
in /etc/selinux/targeted/src/policy/file_contexts/file_contexts that
/var/lib is set to 'system_u:object_r:home_root_t' but 'dhcpd.te' doesn't
have permission to traverse 'home_root_t:dir'...
I added permission 'allow dhcpd_t home_root_t:dir { getattr search };' to
'dhcpd.te', the error has gone. 
But I'm not really sure if I did right thing or not, I'd like to hear from 
SELinux gurus if it is OK with this fix or there's some security exploit with
my fix, or there's complete fix...
Please enlighten me.

Thanks,

-- Junji

-- 
Junji Kanemaru
Linuon Inc.
Tokyo Japan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: dhcpd policy settings

[Junji Kanemaru]

Well this is self reply though, I kinda found the reason that what caused
the problem. I have created my daemon's home in /var/lib/my_daemon
and it caused file_context to have setting home_root_t:dir for /var/lib.
I'm going to create file context settings for my daemon.

Sorry for the bandwith,

-- Junji

Junji Kanemaru wrote:
> Hi,
> 
> I have problem with dhcpd that it seems some recent policy update
> has affected dhcpd runtime environment.
> dhcpd gets avc permission error when dhcpd accesses to 
> /var/lib/dhcpd.leases.  The dmesg says:
> 
> audit(1113209633.019:0): avc:  denied  { search } for  
> pid=5585 exe=/usr/sbin/dhcpd name=lib dev=dm-0 ino=1409026 
> scontext=root:system_r:dhcpd_t tcontext=system_u:object_r:home_root_t
> tclass=dir
> 
> So I quick looked into policy setting and found there's a type setting
> in /etc/selinux/targeted/src/policy/file_contexts/file_contexts that
> /var/lib is set to 'system_u:object_r:home_root_t' but 'dhcpd.te' doesn't
> have permission to traverse 'home_root_t:dir'...
> I added permission 'allow dhcpd_t home_root_t:dir { getattr search };' to
> 'dhcpd.te', the error has gone. 
> But I'm not really sure if I did right thing or not, I'd like to hear from 
> SELinux gurus if it is OK with this fix or there's some security exploit with
> my fix, or there's complete fix...
> Please enlighten me.
> 
> Thanks,
> 
> -- Junji
> 

-- 
Junji Kanemaru
Linuon Inc.
Tokyo Japan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: dhcpd policy settings

[Stephen Smalley]

On Tue, 2005-04-12 at 16:26 +0900, Junji Kanemaru wrote:
> Well this is self reply though, I kinda found the reason that what caused
> the problem. I have created my daemon's home in /var/lib/my_daemon
> and it caused file_context to have setting home_root_t:dir for /var/lib.
> I'm going to create file context settings for my daemon.
> 
> Sorry for the bandwith,

If you try the latest genhomedircon script from the sourceforge CVS tree
(or rawhide if using Fedora Core), do you still have this problem?
genhomedircon was recently rewritten to try to avoid assigning the home
types to anything that has an entry in the base file contexts
configuration.

-- 
Stephen Smalley <sds@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: dhcpd policy settings

[Daniel J Walsh]

Junji Kanemaru wrote:

>Hi,
>
>I have problem with dhcpd that it seems some recent policy update
>has affected dhcpd runtime environment.
>dhcpd gets avc permission error when dhcpd accesses to 
>/var/lib/dhcpd.leases.  The dmesg says:
>
>audit(1113209633.019:0): avc:  denied  { search } for  
>pid=5585 exe=/usr/sbin/dhcpd name=lib dev=dm-0 ino=1409026 
>scontext=root:system_r:dhcpd_t tcontext=system_u:object_r:home_root_t
>tclass=dir
>
>So I quick looked into policy setting and found there's a type setting
>in /etc/selinux/targeted/src/policy/file_contexts/file_contexts that
>/var/lib is set to 'system_u:object_r:home_root_t' but 'dhcpd.te' doesn't
>have permission to traverse 'home_root_t:dir'...
>I added permission 'allow dhcpd_t home_root_t:dir { getattr search };' to
>'dhcpd.te', the error has gone. 
>But I'm not really sure if I did right thing or not, I'd like to hear from 
>SELinux gurus if it is OK with this fix or there's some security exploit with
>my fix, or there's complete fix...
>Please enlighten me.
>
>  
>
This looks like you have a user with a home directory in a place like
/var/lib Which is causing it to be relabeled
home_root_t. genhomedircon generates locations for homedirectories via
the getpwd calls, and it looks for user accounts
with uid >= 500, and sets up the parent as home_root_t.


>Thanks,
>
>-- Junji
>
>  
>


-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: dhcpd policy settings

[Russell Coker]

On Tuesday 12 April 2005 23:41, Daniel J Walsh <dwalsh@redhat.com> wrote:
> This looks like you have a user with a home directory in a place like
> /var/lib Which is causing it to be relabeled
> home_root_t. genhomedircon generates locations for homedirectories via
> the getpwd calls, and it looks for user accounts
> with uid >= 500, and sets up the parent as home_root_t.

The real problem here is the UID being >500.  The solution is to use the "-r" 
option to useradd to create a system account, it will probably solve other 
problems too.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.