Bug 190291

Summary: Accesses to dnssec_t symlinks are not allowed by SELinux
Product: Red Hat Enterprise Linux 4 Reporter: Suzuki Takashi <suzuki-t>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: dwalsh, jvdias
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-30 19:05:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Attachments:
Description Flags
Patch allowing dhcpd and rndc to read dnssec_t symlinks none

Description Suzuki Takashi 2006-04-30 14:43:08 UTC
Description of problem:
When BIND TSIG key files are symlinks,
dhcpd and rndc cannot read the key files.
Their accesses are denied by SELinux policy.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.126

How reproducible:
Always

Steps to Reproduce:
1. Install bind, bind-chroot and dhcp packages.
2. Make a symlink /etc/rndc.key -> /var/named/chroot/etc/rndc.key.
3. chcon -h system_u:object_r:dnssec_t /etc/rndc.key
4. Setup BIND and DHCP Server to do dynamic updates.
5. Make a symlink /etc/dhcpd.key -> /var/named/chroot/etc/dhcpd.key.
/etc/dhcpd.key is for the dhcpd's dynamic updates.
6. chcon -h system_u:object_r:dnssec_t /etc/dhcpd.key
/var/named/chroot/etc/dhcpd.key
7. /sbin/service named start
8. /sbin/service dhcpd start
9. /sbin/service named stop

Actual results:
`/sbin/service dhcpd start' and `/sbin/service named stop' fail.

Expected results:
Both `/sbin/service dhcpd start' and `/sbin/service named stop' succeed.


Additional info:
By selinux-policy-targeted-1.17.30-2.126,
only accesses to regular files of dnssec_t are allowed for dhcpd and rndc:

[domains/program/named.te]
allow { ndc_t named_t } dnssec_t:file { getattr read };

[domains/program/dhcpd.te]
allow dhcpd_t dnssec_t:file { getattr read };

Comment 1 Suzuki Takashi 2006-05-02 14:06:02 UTC
Created attachment 128485 [details]
Patch allowing dhcpd and rndc to read dnssec_t symlinks

I made a custom RPM with this patch.
It works fine with bind-chroot.

Comment 2 Daniel Walsh 2006-05-03 19:54:08 UTC
I think the package from RedHat does this via bind mounts instead of symlinks.

Comment 3 Suzuki Takashi 2006-05-04 03:36:22 UTC
No.
bind-chroot-9.2.4-2 makes symlinks of rndc.key, named.custom and named.conf
by safe_replace function in its post-install script.

bind-chroot-9.3.2-22.FC6 in rawhide seems to do similarly by its
bind-chroot-admin script.
It does bind mounts, but only for /proc and /var/run/dbus.


Comment 4 Daniel Walsh 2006-05-04 04:52:10 UTC
Ok but wouldn't  the better solution be to allow ndc_t and dhcpd to etc_t:lnk_file?

In FC5 and Rawhide we have

allow { ndc_t named_t } etc_t:lnk_file r_file_perms;


Comment 5 Suzuki Takashi 2006-05-04 10:28:09 UTC
/etc/rndc.key (and /etc/dhcpd.key) symlinks are labeled etc_t
against the current file_contexts.

You mean, 
when rndc or dhcpd trys to access /etc/rndc.key or /etc/dhcpd.key,
access to the symlink itself is audited by etc_t and
then to the link target by dnssec_t?

It will be ok, but I feel slightly odd.
Isn't it better to give the same labels to a file and a symlink
of the same path but also of the same use?


Comment 8 Daniel Walsh 2006-05-09 16:36:50 UTC
Fixed in selinux-policy-targetd-1.17.30-2.134


Comment 9 Suzuki Takashi 2006-05-11 12:09:30 UTC
Could you upload the binary or source RPM somewhere so that I can test with it?

Comment 10 Daniel Walsh 2006-05-11 14:16:02 UTC
ftp://people.redhat.com/dwalsh/SELinux/RHEL4/u4/ 

Has it.

Comment 11 Roger Blofeld 2006-08-02 21:59:45 UTC
This problem is also present in FC5 using selinux-policy-targeted-2.3.3-8.fc5.

The file policy/modules/services/bind.te contains (for example):

allow ndc_t dnssec_t:file { getattr read };

instead of the patched version:

allow ndc_t dnssec_t:{ file lnk_file } { getattr read };

which causes denials reading rndc.key when starting named.

BTW, is the serefpolicy-2.3.3.tgz archive in the SRPM supposed to contain all of
the .svn directories?




Comment 12 Daniel Walsh 2008-01-30 19:05:24 UTC
Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.