| Summary: | selinux-policy for nsd fails to handle xfr-dir permissions | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Sten Spans <sspans> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.0 | CC: | drjohnson1, fale, jv+fedora, lfarkas, lvrabec, mgrepl, mmalik, plautrba, pvrabec, pwouters, ssekidde |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-04-28 13:19:05 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
It seems to me that this is a selinux policy bug. We have fixes in the latest RHEL. You can go with the local policy for now. Thank you. |
Description of problem: Running NSD on centos-7 with selinux enabled doesn't work because writes to /tmp for the default xfr-dir setting are not allowed. Version-Release number of selected component (if applicable): nsd-4.1.7-3.el7.x86_64 How reproducible: Enable selinux, install NSD, start nsd Steps to Reproduce: 1. 2. 3. Actual results: Jan 12 11:47:05 mccmdns3.mccm.mcinfra.net systemd[1]: Starting NSD DNS Server... Jan 12 11:47:05 mccmdns3.mccm.mcinfra.net nsd[8185]: [2016-01-12 11:47:05.112] nsd[8185]: error: mkdir /tmp/nsd-xfr-8185 failed: Permission denied Jan 12 11:47:05 mccmdns3.mccm.mcinfra.net nsd[8185]: [2016-01-12 11:47:05.112] nsd[8185]: error: /tmp/nsd-xfr-8185/nsd.8185.task.0: No such file or directory Jan 12 11:47:05 mccmdns3.mccm.mcinfra.net systemd[1]: nsd.service: main process exited, code=exited, status=1/FAILURE And in audit.log: type=AVC msg=audit(1452525158.267:905): avc: denied { write } for pid=29920 comm="nsd" name="tmp" dev="dm-0" ino=138278 scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=AVC msg=audit(1452525158.267:905): avc: denied { add_name } for pid=29920 comm="nsd" name="nsd-xfr-29920" scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=AVC msg=audit(1452525158.267:905): avc: denied { create } for pid=29920 comm="nsd" name="nsd-xfr-29920" scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir Expected results: Additional info: I was able to get NSD running with the following local policy: policy_module(nsd-xfr, 1.0) require { type nsd_t; }; # temp files type nsd_tmp_t; files_tmp_file(nsd_tmp_t) # Allow nsd to create and use temp files and dirs manage_dirs_pattern(nsd_t, nsd_tmp_t, nsd_tmp_t) manage_files_pattern(nsd_t, nsd_tmp_t, nsd_tmp_t) files_tmp_filetrans(nsd_t, nsd_tmp_t, { file dir })