Bug 1183159

Summary: dnssec-trigger causes selinux fail on /run/dnssec-trigger/lock on connect
Product: [Fedora] Fedora Reporter: John Heidemann <johnh>
Component: dnssec-triggerAssignee: Paul Wouters <pwouters>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 21CC: pj.pandit, psimerda, pspacek, pwouters, thozza, vonsch
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: dnssec-trigger-0.12-16.fc21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-04-08 13:08:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description John Heidemann 2015-01-16 21:22:30 UTC 
Description of problem:
dnssec-trigger causes selinux fail on /run/dnssec-trigger/lock on connect.
It all works, but the warning is annoying.


Version-Release number of selected component (if applicable):
dnssec-trigger-0.12-15.fc21.x86_64
selinux-policy-3.13.1-103.fc21.noarch
selinux-policy-targeted-3.13.1-103.fc21.noarch


How reproducible:
every time

Steps to Reproduce:
1. enable dnssec-trigger
2. connect to network
3. observe the selinux alert in your message tray
4. be somewhat relieved that dns is still actually working

Actual results:
selinux alert with no obvious resolution
(without rolling my own policy file)

Expected results:
silence


Additional info:

output of sealert -l

SELinux is preventing /usr/sbin/unbound-control from write access on the file /run/dnssec-trigger/lock.

*****  Plugin leaks (86.2 confidence) suggests   *****************************

If you want to ignore unbound-control trying to write access the lock file, because you believe it should not need this access.
Then you should report this as a bug.  
You can generate a local policy module to dontaudit this access.
Do
# grep /usr/sbin/unbound-control /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

*****  Plugin catchall (14.7 confidence) suggests   **************************

If you believe that unbound-control should be allowed write access on the lock file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep unbound-control /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:named_t:s0
Target Context                system_u:object_r:dnssec_trigger_var_run_t:s0
Target Objects                /run/dnssec-trigger/lock [ file ]
Source                        unbound-control
Source Path                   /usr/sbin/unbound-control
Port                          <Unknown>
Host                         (my host omitted)
Source RPM Packages           unbound-1.5.1-2.fc21.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-103.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (my host)
Platform                      Linux (my host) 3.17.7-300.fc21.x86_64 #1 SMP
                              Wed Dec 17 03:08:44 UTC 2014 x86_64 x86_64
Alert Count                   137
First Seen                    2015-01-15 21:55:38 PST
Last Seen                     2015-01-16 13:13:11 PST
Local ID                      (omitted)

Raw Audit Messages
type=AVC msg=audit(1421442791.666:39108): avc:  denied  { write } for  pid=15625 comm="unbound-control" path="/run/dnssec-trigger/lock" dev="tmpfs" ino=24587 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:dnssec_trigger_var_run_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1421442791.666:39108): arch=x86_64 syscall=execve success=yes exit=0 a0=1e821e0 a1=1e803e0 a2=7fff817770e8 a3=30 items=0 ppid=15613 pid=15625 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=unbound-control exe=/usr/sbin/unbound-control subj=system_u:system_r:named_t:s0 key=(null)

Hash: unbound-control,named_t,dnssec_trigger_var_run_t,file,write
Comment 1 Pavel Šimerda (pavlix) 2015-01-19 11:49:01 UTC 

*** This bug has been marked as a duplicate of bug 1147705 ***
Comment 2 Fedora Update System 2015-01-30 00:05:41 UTC 
dnssec-trigger-0.12-18.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/FEDORA-2015-1279/dnssec-trigger-0.12-18.fc21
Comment 3 Tomáš Hozza 2015-04-08 13:08:33 UTC 
This issue should be fixed in the current dnssec-trigger package. Please test and reopen if the package does not fix the issue for you.
Comment 4 John Heidemann 2015-04-08 16:15:33 UTC 
will do.
Comment 5 John Heidemann 2015-04-16 22:30:07 UTC 
It's hard to prove a negative, but the problem seems fixed.  (I haven't seen the messages since dnssec-trigger-0.12-16.fc21.)  THanks!