[DSE-Dev] Bug#860532: selinux-policy-default: dnsmasq doesn't start in enforcing mode, config+pidfile errors
Gert
t2 at gert.gr
Tue Apr 18 09:16:44 UTC 2017
Package: selinux-policy-default
Version: 2:2.20161023.1-9
Severity: normal
Dnsmasq process and config files seem correctly labeled, idk about the
pidfiles:
root at v:~# setenforce 0
root at v:~# service dnsmasq start
root at v:~# ps axZ|grep dnsmasq|grep -v grep
system_u:system_r:dnsmasq_t:s0 894 ? S 0:00 /usr/sbin/dnsmasq -x
/run/dnsmasq/dnsmasq.pid -u dnsmasq -7 /etc/dnsmasq.d,.dpkg-dist,.dpkg-
old,.dpkg-new --local-service
root at v:~# ls -laZ /{etc,run}/dnsmasq*
-rw-r--r--. 1 root root system_u:object_r:dnsmasq_etc_t:s0 26716 aug
13 2016 /etc/dnsmasq.conf
/etc/dnsmasq.d:
total 16
drwxr-xr-x. 2 root root system_u:object_r:dnsmasq_etc_t:s0 4096 apr 17 16:35 .
drwxr-xr-x. 78 root root system_u:object_r:etc_t:s0 4096 apr 18 11:05
..
-rw-r--r--. 1 root root system_u:object_r:dnsmasq_etc_t:s0 211 aug 13 2016
README
-rw-r--r--. 1 root root system_u:object_r:dnsmasq_etc_t:s0 296 dec 3 19:42
site.conf
/run/dnsmasq:
total 4
drwxr-xr-x. 2 dnsmasq nogroup system_u:object_r:initrc_var_run_t:s0 60 apr 18
11:08 .
drwxr-xr-x. 14 root root system_u:object_r:var_run_t:s0 560 apr 18
10:24 ..
-rw-r--r--. 1 root root system_u:object_r:initrc_var_run_t:s0 5 apr 18
11:08 dnsmasq.pid
Now I try it with selinux enforcing:
root at v:~# service dnsmasq stop
root at v:~# setenforce 1
root at v:~# service dnsmasq start
Job for dnsmasq.service failed because the control process exited with error
code.
See "systemctl status dnsmasq.service" and "journalctl -xe" for details.
root at v:~# systemctl status dnsmasq.service
● dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server
Loaded: loaded (/lib/systemd/system/dnsmasq.service; enabled; vendor preset:
enabled)
Active: failed (Result: exit-code) since Tue 2017-04-18 10:38:07 CEST; 13s
ago
Process: 943 ExecStop=/etc/init.d/dnsmasq systemd-stop-resolvconf
(code=exited, status=0/SUCCESS)
Process: 895 ExecStartPost=/etc/init.d/dnsmasq systemd-start-resolvconf
(code=exited, status=0/SUCCESS)
Process: 973 ExecStart=/etc/init.d/dnsmasq systemd-exec (code=exited,
status=3)
Process: 970 ExecStartPre=/usr/sbin/dnsmasq --test (code=exited,
status=0/SUCCESS)
Main PID: 894 (code=exited, status=0/SUCCESS)
apr 18 10:38:07 v.local systemd[1]: Starting dnsmasq - A lightweight DHCP and
caching DNS server...
apr 18 10:38:07 v.local dnsmasq[970]: dnsmasq: syntax check OK.
apr 18 10:38:07 v.local dnsmasq[973]: dnsmasq: cannot access directory
/etc/dnsmasq.d: Permission denied
apr 18 10:38:07 v.local dnsmasq[973]: cannot access directory /etc/dnsmasq.d:
Permission denied
apr 18 10:38:07 v.local dnsmasq[973]: FAILED to start up
apr 18 10:38:07 v.local systemd[1]: dnsmasq.service: Control process exited,
code=exited status=3
apr 18 10:38:07 v.local systemd[1]: Failed to start dnsmasq - A lightweight
DHCP and caching DNS server.
apr 18 10:38:07 v.local systemd[1]: dnsmasq.service: Unit entered failed state.
apr 18 10:38:07 v.local systemd[1]: dnsmasq.service: Failed with result 'exit-
code'.
When I change /etc/default/dnsmasq, comment out CONFIG_DIR (which reads
dnsmasq.d), and instead add my config file directly:
DNSMASQ_OPTS="--conf-file=/etc/dnsmasq.d/site.conf"
the config file problem is gone, but then dnsmasq cannot make a pidfile:
root at v:~# setenforce 1
root at v:~# service dnsmasq start
Job for dnsmasq.service failed because the control process exited with error
code.
See "systemctl status dnsmasq.service" and "journalctl -xe" for details.
root at v:~# systemctl status dnsmasq.service
● dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server
Loaded: loaded (/lib/systemd/system/dnsmasq.service; enabled; vendor preset:
enabled)
Active: failed (Result: exit-code) since Tue 2017-04-18 11:05:28 CEST; 4s
ago
Process: 1237 ExecStop=/etc/init.d/dnsmasq systemd-stop-resolvconf
(code=exited, status=0/SUCCESS)
Process: 1208 ExecStartPost=/etc/init.d/dnsmasq systemd-start-resolvconf
(code=exited, status=0/SUCCESS)
Process: 1532 ExecStart=/etc/init.d/dnsmasq systemd-exec (code=exited,
status=3)
Process: 1530 ExecStartPre=/usr/sbin/dnsmasq --test (code=exited,
status=0/SUCCESS)
Main PID: 1207 (code=exited, status=0/SUCCESS)
apr 18 11:05:28 v.local systemd[1]: Starting dnsmasq - A lightweight DHCP and
caching DNS server...
apr 18 11:05:28 v.local dnsmasq[1530]: dnsmasq: syntax check OK.
apr 18 11:05:28 v.local dnsmasq[1532]: dnsmasq: failed to open pidfile
/run/dnsmasq/dnsmasq.pid: Permission denied
apr 18 11:05:28 v.local systemd[1]: dnsmasq.service: Control process exited,
code=exited status=3
apr 18 11:05:28 v.local systemd[1]: Failed to start dnsmasq - A lightweight
DHCP and caching DNS server.
apr 18 11:05:28 v.local systemd[1]: dnsmasq.service: Unit entered failed state.
apr 18 11:05:28 v.local systemd[1]: dnsmasq.service: Failed with result 'exit-
code'.
The only selinux error I see in dmesg is:
[ 2.769399] audit: type=1401 audit(1492503728.300:3):
op=security_bounded_transition seresult=denied
oldcontext=system_u:system_r:init_t:s0
newcontext=system_u:system_r:entropyd_t:s0
Thanks!
-- System Information:
Debian Release: 9.0
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) (ignored: LC_ALL set to nl_NL.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages selinux-policy-default depends on:
ii libselinux1 2.6-3+b1
ii libsemanage1 2.6-2
ii libsepol1 2.6-2
ii policycoreutils 2.6-3
ii selinux-utils 2.6-3+b1
Versions of packages selinux-policy-default recommends:
ii checkpolicy 2.6-2
pn setools <none>
Versions of packages selinux-policy-default suggests:
pn logcheck <none>
pn syslog-summary <none>
-- no debconf information
More information about the SELinux-devel
mailing list