Bug 1240193

Summary: /etc/resolv.conf relabel issue
Product: [Fedora] Fedora Reporter: Matthias Runge <mrunge>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: dominick.grift, dwalsh, lvrabec, mgrepl, mrunge, pj.pandit, plautrba, psimerda, pspacek, pwouters, thozza
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-128.8.fc22 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-30 13:54:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1182488    

Description Matthias Runge 2015-07-06 07:40:50 UTC 
Description of problem:

I followed https://fedoraproject.org/wiki/Changes/Default_Local_DNS_Resolver#Option_1_-_Use_experimental_implementation_available_in_Fedora_20_and_newer

and got:

SELinux is preventing dnssec-trigger- from relabelfrom access on the file /etc/resolv.conf.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that dnssec-trigger- should be allowed relabelfrom access on the resolv.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep dnssec-trigger- /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:dnssec_trigger_t:s0
Target Context                system_u:object_r:net_conf_t:s0
Target Objects                /etc/resolv.conf [ file ]
Source                        dnssec-trigger-
Source Path                   dnssec-trigger-
Port                          <Unknown>
Host                          sofja.berg.ol
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-128.4.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     sofja.berg.ol
Platform                      Linux sofja.berg.ol 4.0.7-300.fc22.x86_64 #1 SMP
                              Mon Jun 29 22:15:06 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-07-06 09:29:29 CEST
Last Seen                     2015-07-06 09:29:29 CEST
Local ID                      e728a93c-aff1-456e-bd9b-7fe80ec571ec

Raw Audit Messages
type=AVC msg=audit(1436167769.30:593): avc:  denied  { relabelfrom } for  pid=4802 comm="dnssec-trigger-" name="resolv.conf" dev="dm-2" ino=1311278 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=0
Comment 1 Matthias Runge 2015-07-06 07:41:46 UTC 
dnssec-trigger-0.12-20.fc22.x86_64
selinux-policy-3.13.1-128.4.fc22.noarch
Comment 2 Tomáš Hozza 2015-07-07 08:50:43 UTC 
dnssec-trigger creates new resolv.conf with different name and then renames it to cope with possible issues if the resolv.conf is a symlink. I think that SELinux should allow dnssec-trigger to do that.

Also the SELinux reports in general could be more verbose, since most of the time I'm having a hard time understanding what actually happened.

Moving to selinux-policy.
Comment 3 Lukas Vrabec 2015-07-07 20:04:43 UTC 
Hi Tomas, 
Could you reproduce this issue in permissive mode? 
Thank you!
Comment 4 Tomáš Hozza 2015-07-08 10:54:02 UTC 
(In reply to Lukas Vrabec from comment #3)
> Hi Tomas, 
> Could you reproduce this issue in permissive mode? 
> Thank you!

I'm not sure if I'll be able to. Setting NEEDINFO on the reporter...
Comment 5 Lukas Vrabec 2015-07-08 11:36:39 UTC 
OK, I need all AVCS to fix in in one step.
Comment 6 Matthias Runge 2015-07-09 06:00:09 UTC 
Yesterday, I relabeled my file system; system install was a fresh f22 install. I can not reproduce the issue any more.

Sorry for the noise.
Comment 7 Matthias Runge 2015-07-13 06:14:14 UTC 
That's what I got in /var/log/audit/audit.log
with selinux permissive.

type=AVC msg=audit(1436767937.298:612): avc:  denied  { relabelfrom } for  pid=4215 comm="dnssec-trigger-" name="resolv.conf.backup" dev="tmpfs" ino=62737 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:dnssec_trigger_var_run_t:s0 tclass=file permissive=1
Comment 8 Tomáš Hozza 2015-07-13 11:02:50 UTC 
(In reply to Matthias Runge from comment #7)
> That's what I got in /var/log/audit/audit.log
> with selinux permissive.
> 
> type=AVC msg=audit(1436767937.298:612): avc:  denied  { relabelfrom } for 
> pid=4215 comm="dnssec-trigger-" name="resolv.conf.backup" dev="tmpfs"
> ino=62737 scontext=system_u:system_r:dnssec_trigger_t:s0
> tcontext=system_u:object_r:dnssec_trigger_var_run_t:s0 tclass=file
> permissive=1

dnssec-trigger when started, it backs up the current /etc/resolv.conf before rewriting it. When restarted or stopped it tries to restore the old resolv.conf from /var/run/dnssec-trigger/resolv.conf.backup.

This looks like the situation I just described ~ restoring the resolv.conf
Comment 11 Lukas Vrabec 2015-07-13 11:33:34 UTC 
commit 8d6bc7574ab1b82892e98a425e4f5e64bad28909
Author: Lukas Vrabec <lvrabec>
Date:   Mon Jul 13 13:23:16 2015 +0200

    Allow dnssec_trigger_t relabelfrom dnssec_trigger_var_run_t files.
Comment 12 Miroslav Grepl 2015-07-14 09:05:53 UTC 
Tomas,
could you try to reproduce it with

#setenforce 1
#setenforce 0

re-test it and

# ausearch -m avc -ts recent
Comment 13 Matthias Runge 2015-07-14 09:49:10 UTC 
After 
systemctl restart unbound, I got:

ausearch -m avc -ts recent
----
time->Tue Jul 14 11:48:12 2015
type=AVC msg=audit(1436867292.109:725): avc:  denied  { relabelfrom } for  pid=16775 comm="dnssec-trigger-" name="resolv.conf" dev="dm-2" ino=1311278 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1
----
time->Tue Jul 14 11:48:12 2015
type=AVC msg=audit(1436867292.109:726): avc:  denied  { relabelto } for  pid=16775 comm="dnssec-trigger-" name="resolv.conf" dev="dm-2" ino=1311278 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:dnssec_trigger_var_run_t:s0 tclass=file permissive=1
----
time->Tue Jul 14 11:48:15 2015
type=AVC msg=audit(1436867295.505:732): avc:  denied  { relabelfrom } for  pid=16990 comm="dnssec-trigger-" name="resolv.conf.backup" dev="tmpfs" ino=162817 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:dnssec_trigger_var_run_t:s0 tclass=file permissive=1
----
time->Tue Jul 14 11:48:15 2015
type=AVC msg=audit(1436867295.505:733): avc:  denied  { relabelto } for  pid=16990 comm="dnssec-trigger-" name="resolv.conf.backup" dev="tmpfs" ino=162817 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:dnssec_trigger_var_run_t:s0 tclass=file permissive=1
Comment 14 Fedora Update System 2015-07-21 15:46:13 UTC 
selinux-policy-3.13.1-128.8.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-128.8.fc22
Comment 15 Fedora Update System 2015-07-29 01:45:29 UTC 
Package selinux-policy-3.13.1-128.8.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-128.8.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-11989/selinux-policy-3.13.1-128.8.fc22
then log in and leave karma (feedback).
Comment 16 Fedora Update System 2015-07-30 13:54:48 UTC 
selinux-policy-3.13.1-128.8.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.