[DSE-Dev] Bug#860532: selinux-policy-default: dnsmasq doesn't start in enforcing mode, config+pidfile errors

Gert t2 at gert.gr
Tue Apr 18 09:16:44 UTC 2017


Package: selinux-policy-default
Version: 2:2.20161023.1-9
Severity: normal

Dnsmasq process and config files seem correctly labeled, idk about the
pidfiles:

root at v:~# setenforce 0
root at v:~# service dnsmasq start
root at v:~# ps axZ|grep dnsmasq|grep -v grep
system_u:system_r:dnsmasq_t:s0    894 ?        S      0:00 /usr/sbin/dnsmasq -x
/run/dnsmasq/dnsmasq.pid -u dnsmasq -7 /etc/dnsmasq.d,.dpkg-dist,.dpkg-
old,.dpkg-new --local-service
root at v:~# ls -laZ /{etc,run}/dnsmasq*
-rw-r--r--. 1 root    root    system_u:object_r:dnsmasq_etc_t:s0    26716 aug
13  2016 /etc/dnsmasq.conf

/etc/dnsmasq.d:
total 16
drwxr-xr-x.  2 root root system_u:object_r:dnsmasq_etc_t:s0 4096 apr 17 16:35 .
drwxr-xr-x. 78 root root system_u:object_r:etc_t:s0         4096 apr 18 11:05
..
-rw-r--r--.  1 root root system_u:object_r:dnsmasq_etc_t:s0  211 aug 13  2016
README
-rw-r--r--.  1 root root system_u:object_r:dnsmasq_etc_t:s0  296 dec  3 19:42
site.conf

/run/dnsmasq:
total 4
drwxr-xr-x.  2 dnsmasq nogroup system_u:object_r:initrc_var_run_t:s0  60 apr 18
11:08 .
drwxr-xr-x. 14 root    root    system_u:object_r:var_run_t:s0        560 apr 18
10:24 ..
-rw-r--r--.  1 root    root    system_u:object_r:initrc_var_run_t:s0   5 apr 18
11:08 dnsmasq.pid


Now I try it with selinux enforcing:

root at v:~# service dnsmasq stop
root at v:~# setenforce 1
root at v:~# service dnsmasq start
Job for dnsmasq.service failed because the control process exited with error
code.
See "systemctl status dnsmasq.service" and "journalctl -xe" for details.
root at v:~# systemctl status dnsmasq.service
● dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server
   Loaded: loaded (/lib/systemd/system/dnsmasq.service; enabled; vendor preset:
enabled)
   Active: failed (Result: exit-code) since Tue 2017-04-18 10:38:07 CEST; 13s
ago
  Process: 943 ExecStop=/etc/init.d/dnsmasq systemd-stop-resolvconf
(code=exited, status=0/SUCCESS)
  Process: 895 ExecStartPost=/etc/init.d/dnsmasq systemd-start-resolvconf
(code=exited, status=0/SUCCESS)
  Process: 973 ExecStart=/etc/init.d/dnsmasq systemd-exec (code=exited,
status=3)
  Process: 970 ExecStartPre=/usr/sbin/dnsmasq --test (code=exited,
status=0/SUCCESS)
 Main PID: 894 (code=exited, status=0/SUCCESS)

apr 18 10:38:07 v.local systemd[1]: Starting dnsmasq - A lightweight DHCP and
caching DNS server...
apr 18 10:38:07 v.local dnsmasq[970]: dnsmasq: syntax check OK.
apr 18 10:38:07 v.local dnsmasq[973]: dnsmasq: cannot access directory
/etc/dnsmasq.d: Permission denied
apr 18 10:38:07 v.local dnsmasq[973]: cannot access directory /etc/dnsmasq.d:
Permission denied
apr 18 10:38:07 v.local dnsmasq[973]: FAILED to start up
apr 18 10:38:07 v.local systemd[1]: dnsmasq.service: Control process exited,
code=exited status=3
apr 18 10:38:07 v.local systemd[1]: Failed to start dnsmasq - A lightweight
DHCP and caching DNS server.
apr 18 10:38:07 v.local systemd[1]: dnsmasq.service: Unit entered failed state.
apr 18 10:38:07 v.local systemd[1]: dnsmasq.service: Failed with result 'exit-
code'.

When I change /etc/default/dnsmasq, comment out CONFIG_DIR (which reads
dnsmasq.d), and instead add my config file directly:
DNSMASQ_OPTS="--conf-file=/etc/dnsmasq.d/site.conf"
the config file problem is gone, but then dnsmasq cannot make a pidfile:

root at v:~# setenforce 1
root at v:~# service dnsmasq start
Job for dnsmasq.service failed because the control process exited with error
code.
See "systemctl status dnsmasq.service" and "journalctl -xe" for details.
root at v:~# systemctl status dnsmasq.service
● dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server
   Loaded: loaded (/lib/systemd/system/dnsmasq.service; enabled; vendor preset:
enabled)
   Active: failed (Result: exit-code) since Tue 2017-04-18 11:05:28 CEST; 4s
ago
  Process: 1237 ExecStop=/etc/init.d/dnsmasq systemd-stop-resolvconf
(code=exited, status=0/SUCCESS)
  Process: 1208 ExecStartPost=/etc/init.d/dnsmasq systemd-start-resolvconf
(code=exited, status=0/SUCCESS)
  Process: 1532 ExecStart=/etc/init.d/dnsmasq systemd-exec (code=exited,
status=3)
  Process: 1530 ExecStartPre=/usr/sbin/dnsmasq --test (code=exited,
status=0/SUCCESS)
 Main PID: 1207 (code=exited, status=0/SUCCESS)

apr 18 11:05:28 v.local systemd[1]: Starting dnsmasq - A lightweight DHCP and
caching DNS server...
apr 18 11:05:28 v.local dnsmasq[1530]: dnsmasq: syntax check OK.
apr 18 11:05:28 v.local dnsmasq[1532]: dnsmasq: failed to open pidfile
/run/dnsmasq/dnsmasq.pid: Permission denied
apr 18 11:05:28 v.local systemd[1]: dnsmasq.service: Control process exited,
code=exited status=3
apr 18 11:05:28 v.local systemd[1]: Failed to start dnsmasq - A lightweight
DHCP and caching DNS server.
apr 18 11:05:28 v.local systemd[1]: dnsmasq.service: Unit entered failed state.
apr 18 11:05:28 v.local systemd[1]: dnsmasq.service: Failed with result 'exit-
code'.


The only selinux error I see in dmesg is:
[    2.769399] audit: type=1401 audit(1492503728.300:3):
op=security_bounded_transition seresult=denied
oldcontext=system_u:system_r:init_t:s0
newcontext=system_u:system_r:entropyd_t:s0

Thanks!



-- System Information:
Debian Release: 9.0
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) (ignored: LC_ALL set to nl_NL.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages selinux-policy-default depends on:
ii  libselinux1      2.6-3+b1
ii  libsemanage1     2.6-2
ii  libsepol1        2.6-2
ii  policycoreutils  2.6-3
ii  selinux-utils    2.6-3+b1

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.6-2
pn  setools      <none>

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- no debconf information


More information about the SELinux-devel mailing list