Why SELinux blocks dhcpd from executing a script from writing a log file?

Question

I would like to have dhcpd execute a script, which for now just tries to create a log file in /var/log/dhcpd/, but SELinux denies it to do so.

Question

Can anyone from the below see what permissions I need to give the script or perhaps /var/log/dhcpd/?

# ls -ladZ /etc/dhcp/scripts/dhcp_log.sh 
-rwxrwx---. root dhcpd unconfined_u:object_r:bin_t:s0   /etc/dhcp/scripts/dhcp_log.sh
# ls -ladZ /var/log/dhcpd/
drwxrwxr-x. root dhcpd unconfined_u:object_r:var_log_t:s0 /var/log/dhcpd/

/var/log/audit/audit.log:

type=SERVICE_START msg=audit(1541512634.060:8940): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dhcpd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1541512634.679:8941): avc:  denied  { open } for  pid=18112 comm="dhcp_log.sh" path="/var/log/dhcpd/log" dev="vda1" ino=16798830 scontext=system_u:system_r:dhcpd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1541512634.679:8941): arch=c000003e syscall=2 success=no exit=-13 a0=afd170 a1=441 a2=1b6 a3=fffffff0 items=0 ppid=18111 pid=18112 auid=4294967295 uid=177 gid=177 euid=177 suid=177 fsuid=177 egid=177 sgid=177 fsgid=177 tty=(none) ses=4294967295 comm="dhcp_log.sh" exe="/usr/bin/bash" subj=system_u:system_r:dhcpd_t:s0 key=(null)
type=PROCTITLE msg=audit(1541512634.679:8941): proctitle=2F7573722F62696E2F62617368002F6574632F646863702F736372697074732F646863705F6C6F672E7368006F7574707574
type=AVC msg=audit(1541512634.679:8942): avc:  denied  { open } for  pid=18112 comm="dhcp_log.sh" path="/var/log/dhcpd/log" dev="vda1" ino=16798830 scontext=system_u:system_r:dhcpd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1541512634.679:8942): arch=c000003e syscall=2 success=no exit=-13 a0=afd170 a1=401 a2=1b6 a3=fffffff0 items=0 ppid=18111 pid=18112 auid=4294967295 uid=177 gid=177 euid=177 suid=177 fsuid=177 egid=177 sgid=177 fsgid=177 tty=(none) ses=4294967295 comm="dhcp_log.sh" exe="/usr/bin/bash" subj=system_u:system_r:dhcpd_t:s0 key=(null)
type=PROCTITLE msg=audit(1541512634.679:8942): proctitle=2F7573722F62696E2F62617368002F6574632F646863702F736372697074732F646863705F6C6F672E7368006F7574707574

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/chap-security-enhanced_linux-troubleshooting — Michael Hampton, Nov 06 '18 at 14:53

score -1 · Answer 1 · answered Nov 12 '18 at 07:42

-1

I had similar issue a few days ago and reslobe by granting permisive privilege:

Write permission on file is NOT granted when used by postfix

answered Nov 12 '18 at 07:42

Fdv

119
3

Automatic downvote for recommending disabling SELinux. – Michael Hampton Nov 12 '18 at 14:10

Why SELinux blocks dhcpd from executing a script from writing a log file?

1 Answers1