dhcpd targeted policy

Rogelio J. Baucells rj at baucells.org
Wed Jan 19 17:26:16 UTC 2005 

Daniel J Walsh wrote:
> Rogelio J. Baucells wrote:
> 
>> Hi,
>>
>> I am running a FC3 computer with the latest targeted policy 
>> (selinux-policy-targeted-1.17.30-2.68) and I am getting the following 
>> messages at the time dhcpd starts:
>>
>> -----------------------------------------------------------------
>> audit(1105547723.050:0): avc:  denied  { net_admin } for  pid=6247 
>> exe=/usr/sbin/dhcpd capability=12 scontext=root:system_r:dhcpd_t 
>> tcontext=root:system_r:dhcpd_t tclass=capability
>>
>> audit(1105547723.244:0): avc:  denied  { read } for  pid=6247 
>> exe=/usr/sbin/dhcpd name=cacert.org.pem dev=hdc2 ino=230129 
>> scontext=root:system_r:dhcpd_t tcontext=system_u:object_r:usr_t 
>> tclass=file
>> -----------------------------------------------------------------
>>
>> I looked at the configuration file (dhcpd.conf) and I do not see any 
>> place where I am referencing the cacert.org cert file. I use that file 
>> for other services and it is located at (/usr/share/ssl/certs).
>>
>> Is there any information on how to resolve this errors?
>>
>> Thanks
>>
>> RJB
>>
> selinux-policy-targeted-1.17.30-2.72 should have a fix for this
> 
>> -- 
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 
> 
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Hi,

I just checked again using the selinux-policy-targeted-1.17.30-2.72 and 
now I am getting two new errors in the log file at the time of starting 
dhcpd (I did a "restorecon -R /var/named" before starting the service).

-------------------------------------------------------------------
audit(1106155180.751:0): avc:  denied  { read } for  pid=21770 
exe=/usr/sbin/dhcpd name=urandom dev=tmpfs ino=503 
scontext=root:system_r:dhcpd_t 
tcontext=system_u:object_r:urandom_device_t tclass=chr_file

audit(1106155180.752:0): avc:  denied  { read } for  pid=21770 
exe=/usr/sbin/dhcpd name=random dev=tmpfs ino=501 
scontext=root:system_r:dhcpd_t 
tcontext=system_u:object_r:random_device_t tclass=chr_file
-------------------------------------------------------------------

I do not longer have the old errors...

I think the problem is accessing the /var/named/chroot/dev/random file. 
This is my selinux related settings for the files in that directory:

crw-r--r--  root     root     system_u:object_r:null_device_t  null
crw-r--r--  root     root     system_u:object_r:random_device_t random
crw-r--r--  root     root     system_u:object_r:zero_device_t  zero

Is there anything else I can do?

Thanks for your help

RJB

More information about the fedora-selinux-list mailing list