Re: dhcpd targeted policy

["Rogelio J. Baucells" <rj@xxxxxxxxxxxx>]

Daniel J Walsh wrote:
> Rogelio J. Baucells wrote:
>
> > Hi,
> >
> > I am running a FC3 computer with the latest targeted policy 
> > (selinux-policy-targeted-1.17.30-2.68) and I am getting the following 
> > messages at the time dhcpd starts:
> >
> > -----------------------------------------------------------------
> > audit(1105547723.050:0): avc:  denied  { net_admin } for  pid=6247 
> > exe=/usr/sbin/dhcpd capability=12 scontext=root:system_r:dhcpd_t 
> > tcontext=root:system_r:dhcpd_t tclass=capability
> >
> > audit(1105547723.244:0): avc:  denied  { read } for  pid=6247 
> > exe=/usr/sbin/dhcpd name=cacert.org.pem dev=hdc2 ino=230129 
> > scontext=root:system_r:dhcpd_t tcontext=system_u:object_r:usr_t 
> > tclass=file
> > -----------------------------------------------------------------
> >
> > I looked at the configuration file (dhcpd.conf) and I do not see any 
> > place where I am referencing the cacert.org cert file. I use that file 
> > for other services and it is located at (/usr/share/ssl/certs).
> >
> > Is there any information on how to resolve this errors?
> >
> > Thanks
> >
> > RJB
> selinux-policy-targeted-1.17.30-2.72 should have a fix for this
>
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list@xxxxxxxxxx
> > http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Hi,

I just checked again using the selinux-policy-targeted-1.17.30-2.72 and 
now I am getting two new errors in the log file at the time of starting 
dhcpd (I did a "restorecon -R /var/named" before starting the service).

-------------------------------------------------------------------
audit(1106155180.751:0): avc:  denied  { read } for  pid=21770 
exe=/usr/sbin/dhcpd name=urandom dev=tmpfs ino=503 
scontext=root:system_r:dhcpd_t 
tcontext=system_u:object_r:urandom_device_t tclass=chr_file

audit(1106155180.752:0): avc:  denied  { read } for  pid=21770 
exe=/usr/sbin/dhcpd name=random dev=tmpfs ino=501 
scontext=root:system_r:dhcpd_t 
tcontext=system_u:object_r:random_device_t tclass=chr_file
-------------------------------------------------------------------

I do not longer have the old errors...

I think the problem is accessing the /var/named/chroot/dev/random file. 
This is my selinux related settings for the files in that directory:

crw-r--r--  root     root     system_u:object_r:null_device_t  null
crw-r--r--  root     root     system_u:object_r:random_device_t random
crw-r--r--  root     root     system_u:object_r:zero_device_t  zero

Is there anything else I can do?

Thanks for your help

RJB