I have recently set up a Gentoo server to serve as a network router. Though it will serve on a semi-trusted network, I have nevertheless attempted to put together a secure server. Accordingly, I installed gentoo-hardened and have installed and configured SELinux. This is only my second time playing with SELinux and my first time getting it to work (for the most part). While for the most part everything seems to work fine, I have discovered that, when in SELinux enforcing mode, I cannot start dhcpd without errors:
Code:
root@server# run_init /etc/init.d/dhcpd start
Authenticating root.
Password:
* /var/lib/dhcp: creating directory
sed: can't read /etc/dhcp/dhcpd.conf: Permission denied
* /var/lib/dhcp/dhcpd.leases: creating file
* checkpath: open: Permission denied
sed: can't read /etc/dhcp/dhcpd.conf: Permission denied
* Starting dhcpd ... * start-stop-daemon: did not create a valid pid in `//var/run/dhcp/dhcpd.pid'
[ !! ]
* ERROR: dhcpd failed to start
I am running this from the following context:
Code:
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),26(tape),27(video) context=staff_u:sysadm_r:sysadm_t
Permissions on the requisite files/directories are thus:
Code:
root@server# ls -lZ /etc/dhcp
total 8
-rw-r--r--. 1 root root system_u:object_r:dhcp_etc_t 914 Nov 25 15:57 dhclient.conf
-rw-r--r--. 1 root root system_u:object_r:dhcp_etc_t 3305 Nov 26 15:27 dhcpd.conf
root@server# ls -ldZ /var/lib/dhcp
drwxr-xr-x. 2 dhcp dhcp system_u:object_r:dhcp_state_t 4096 Nov 27 20:15 /var/lib/dhcp
And the dhcpd process spawned looks like this:
Code:
LABEL UID PID PPID C SZ RSS PSR STIME TTY TIME CMD
system_u:system_r:dhcpd_t dhcp 11114 1 0 2597 5716 0 20:36 ? 00:00:00 /usr/sbin/dhcpd -cf /etc/dhcp/dhcpd.conf -q -pf /var/run/dhcp/dhcpd.pid -lf /var/lib/dhcp/dhcpd.leases -user dhcp -group dhcp
As far as I can tell, the files and directories are labeled correctly, and for good measure I ran "rlpkg dhcp" with no change. I also tried reemerging the selinux-dhcp policy to no avail. Can anyone enlighten me on this behavior? Does this indicate a bug in the policy? A mistake in my configuration? Or am I simply not running the init.d script properly? As I said, I am fairly new to SELinux and anything that can shed light on its inner workings would be appreciated.
edit: To clarify, dhcpd starts normally if SELinux is set to permissive.