Junji Kanemaru wrote:

>Hi,
>
>I have problem with dhcpd that it seems some recent policy update
>has affected dhcpd runtime environment.
>dhcpd gets avc permission error when dhcpd accesses to
>/var/lib/dhcpd.leases. The dmesg says:
>
>audit(1113209633.019:0): avc: denied { search } for
>pid=5585 exe=/usr/sbin/dhcpd name=lib dev=dm-0 ino=1409026
>scontext=root:system_r:dhcpd_t tcontext=system_u:object_r:home_root_t
>tclass=dir
>
>So I quick looked into policy setting and found there's a type setting
>in /etc/selinux/targeted/src/policy/file_contexts/file_contexts that
>/var/lib is set to 'system_u:object_r:home_root_t' but 'dhcpd.te' doesn't
>have permission to traverse 'home_root_t:dir'...
>I added permission 'allow dhcpd_t home_root_t:dir { getattr search };' to
>'dhcpd.te', the error has gone.
>But I'm not really sure if I did right thing or not, I'd like to hear from
>SELinux gurus if it is OK with this fix or there's some security exploit with
>my fix, or there's complete fix...
>Please enlighten me.
>
>
>

This looks like you have a user with a home directory in a place like /var/lib Which is causing it to be relabeled home_root_t. genhomedircon generates locations for homedirectories via the getpwd calls, and it looks for user accounts with uid >= 500, and sets up the parent as home_root_t.

>Thanks,
>
>-- Junji
>
>
>

-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.