Bug 1293140
Summary: | SELinux policy changes to make NSD4 work | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Fabio Alessandro Locati <fale> | ||||
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 7.2 | CC: | d.e.smorgrav, fkooman, kupo, lvrabec, mgrepl, mmalik, plautrba, pvrabec, pwouters, rpiddapa, ssekidde, tis | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | selinux-policy-3.13.1-69.el7 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2016-11-04 02:26:28 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1311294 | ||||||
Attachments: |
|
Description
Fabio Alessandro Locati
2015-12-20 16:02:08 UTC
These avc's you list are not all because of nsd4 package problems (nsd-control not enabled). For nsd-control I added following: b/policy/modules/kernel/corenetwork.te.in network_port(neutron, tcp, 8775, s0, tcp,9696,s0, tcp,9697,s0) +network_port(nsd_control, tcp,8952,s0) network_port(radacct, udp,1646,s0, tcp,1646,s0, tcp,1813,s0, udp,1813,s0) Created attachment 1109788 [details]
Patch to add necessary changes for nsd-4.x
I can confirm it. I've patched just two days ago to enable the nsd_control port PS: Probably all files .zone in /etc/nsd should be considered zone files Did my patch and copy-paste from cornetwork.te.in change include everything necessary for adding nsd-4.x support? Following lines are present in /etc/nsd/nsd.conf file: # log messages to file. Default to stderr and syslog (with # logfile: "/var/log/nsd.log" # statistics are produced every number of seconds. Prints to log. # log timestamp in ascii (y-m-d h:m:s.msec), yes is default. # log-time-ascii: yes After uncommenting of the "logfile:" line, the automated TC triggers yet another SELinux denial in enforcing mode: ---- type=PATH msg=audit(01/29/2016 08:04:25.419:215) : item=1 name=/var/log/nsd.log objtype=CREATE type=PATH msg=audit(01/29/2016 08:04:25.419:215) : item=0 name=/var/log/ inode=16777373 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_log_t:s0 objtype=PARENT type=CWD msg=audit(01/29/2016 08:04:25.419:215) : cwd=/etc/nsd type=SYSCALL msg=audit(01/29/2016 08:04:25.419:215) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7f8a132985c8 a1=O_WRONLY|O_CREAT|O_APPEND a2=0666 a3=0x24 items=2 ppid=1 pid=13538 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=nsd exe=/usr/sbin/nsd subj=system_u:system_r:nsd_t:s0 key=(null) type=AVC msg=audit(01/29/2016 08:04:25.419:215) : avc: denied { write } for pid=13538 comm=nsd name=log dev="vda2" ino=16777373 scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir ---- It happens because selinux-policy does not define a type for nsd log files: # seinfo -t | grep ' nsd' nsd_var_run_t nsd_exec_t nsd_zone_t nsd_crond_t nsd_conf_t nsd_t # semanage fcontext -l | grep log/nsd # SELinux denials caught in permissive mode when repeating what's described in comment#7: ---- time->Fri Jan 29 08:12:39 2016 type=PATH msg=audit(1454051559.334:275): item=1 name="/var/log/nsd.log" inode=18361660 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_log_t:s0 objtype=CREATE type=PATH msg=audit(1454051559.334:275): item=0 name="/var/log/" inode=16777373 dev=fd:02 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_log_t:s0 objtype=PARENT type=CWD msg=audit(1454051559.334:275): cwd="/etc/nsd" type=SYSCALL msg=audit(1454051559.334:275): arch=c000003e syscall=2 success=yes exit=3 a0=7f94005105c8 a1=441 a2=1b6 a3=24 items=2 ppid=1 pid=27604 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nsd" exe="/usr/sbin/nsd" subj=system_u:system_r:nsd_t:s0 key=(null) type=AVC msg=audit(1454051559.334:275): avc: denied { open } for pid=27604 comm="nsd" path="/var/log/nsd.log" dev="vda2" ino=18361660 scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file type=AVC msg=audit(1454051559.334:275): avc: denied { create } for pid=27604 comm="nsd" name="nsd.log" scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file type=AVC msg=audit(1454051559.334:275): avc: denied { add_name } for pid=27604 comm="nsd" name="nsd.log" scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir type=AVC msg=audit(1454051559.334:275): avc: denied { write } for pid=27604 comm="nsd" name="log" dev="vda2" ino=16777373 scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir ---- time->Fri Jan 29 08:12:39 2016 type=PATH msg=audit(1454051559.334:276): item=0 name="/var/log/nsd.log" inode=18361660 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_log_t:s0 objtype=NORMAL type=CWD msg=audit(1454051559.334:276): cwd="/etc/nsd" type=SYSCALL msg=audit(1454051559.334:276): arch=c000003e syscall=92 success=yes exit=0 a0=7f94005105c8 a1=383 a2=376 a3=1 items=1 ppid=1 pid=27604 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nsd" exe="/usr/sbin/nsd" subj=system_u:system_r:nsd_t:s0 key=(null) type=AVC msg=audit(1454051559.334:276): avc: denied { setattr } for pid=27604 comm="nsd" name="nsd.log" dev="vda2" ino=18361660 scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file ---- As normal, all combinations were not tested. I don't use log to file so I haven't hit that one. My fixes were to get nsd-4.x working with out of the box config. This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions The new package does not seem to be available on RHN yet. When will it be published? Until then, is there any way to download and install it manually? *** Bug 1302951 has been marked as a duplicate of this bug. *** Still waiting for word on when I can expect this fix to be published. My RHEL7 systems have 3.13.1-60.9, with no mention of this bug in the changelog. Your systems most likely have selinux-policy-3.13.1-60.el7_2.9 but the fix is present in selinux-policy-3.13.1-69.el7 which will be part of RHEL-7.3. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2283.html |