avc: denied { write } for pid=5267 comm="dhcpd" name="dhcpd.pid"

Paul Howarth paul at city-fan.org
Sat Nov 15 08:54:56 UTC 2008 

On Fri, 14 Nov 2008 18:10:16 -0800 (PST)
Antonio Olivares <olivares14031 at yahoo.com> wrote:

> Dear fellow selinux experts,
> 
> I am trying to make one of my machines a dhcp server to connect other
> machines to the internet, see thread in Fedora list if applicable, I
> have achieved a breakthrough, but selinux denies it :(  
> 
> [root at localhost ~]# dhcpd -f
> Internet Systems Consortium DHCP Server 4.0.0
> Copyright 2004-2007 Internet Systems Consortium.
> All rights reserved.
> For info, please visit http://www.isc.org/sw/dhcp/
> Warning: subnet 10.154.19.0/27 overlaps subnet 10.154.19.0/24
> Not searching LDAP since ldap-server, ldap-port and ldap-base-dn were
> not specified in the config file Wrote 0 leases to leases file.
> Listening on LPF/eth0/00:0e:a6:42:59:af/10.154.19.0/24
> Sending on   LPF/eth0/00:0e:a6:42:59:af/10.154.19.0/24
> Sending on   Socket/fallback/fallback-net
> ^C
> [root at localhost ~]# service dhcpd stop
> [root at localhost ~]# service dhcpd start
> Starting dhcpd:                                            [  OK  ]
> 
> 
>  but now selinux gets in the way :(
> 
> Nov 14 20:03:40 localhost kernel: type=1400
> audit(1226714620.135:183): avc:  denied  { read } for  pid=5267
> comm="dhcpd" name="dhcpd.pid" dev=dm-0 ino=3244731
> scontext=unconfined_u:system_r:dhcpd_t:s0
> tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file Nov 14
> 20:03:40 localhost kernel: type=1400 audit(1226714620.135:184): avc:
> denied  { write } for  pid=5267 comm="dhcpd" name="dhcpd.pid"
> dev=dm-0 ino=3244731scontext=unconfined_u:system_r:dhcpd_t:s0
> tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file Nov 14
> 20:03:40 localhost dhcpd: Can't create PID file /var/run/dhcpd.pid:
> Permission denied.
> 
> How can I allow it to work?  
> 
> Setroubleshoot has not kicked in to warn me so I do not know a fix as
> of this moment :(  

/var/run/dhcpd.pid should be dhcpd_var_run_t, not var_run_t.

Try:
# restorecon -v /var/run /var/run/dhcpd.pid

Paul.

More information about the fedora-selinux-list mailing list