Description of problem:
Running NSD on centos-7 with selinux enabled doesn't work because writes to /tmp
for the default xfr-dir setting are not allowed.
Version-Release number of selected component (if applicable):
nsd-4.1.7-3.el7.x86_64
How reproducible:
Enable selinux, install NSD, start nsd
Steps to Reproduce:
1.
2.
3.
Actual results:
Jan 12 11:47:05 mccmdns3.mccm.mcinfra.net systemd[1]: Starting NSD DNS Server...
Jan 12 11:47:05 mccmdns3.mccm.mcinfra.net nsd[8185]: [2016-01-12 11:47:05.112] nsd[8185]: error: mkdir /tmp/nsd-xfr-8185 failed: Permission denied
Jan 12 11:47:05 mccmdns3.mccm.mcinfra.net nsd[8185]: [2016-01-12 11:47:05.112] nsd[8185]: error: /tmp/nsd-xfr-8185/nsd.8185.task.0: No such file or directory
Jan 12 11:47:05 mccmdns3.mccm.mcinfra.net systemd[1]: nsd.service: main process exited, code=exited, status=1/FAILURE
And in audit.log:
type=AVC msg=audit(1452525158.267:905): avc: denied { write } for pid=29920 comm="nsd" name="tmp" dev="dm-0" ino=138278 scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1452525158.267:905): avc: denied { add_name } for pid=29920 comm="nsd" name="nsd-xfr-29920" scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1452525158.267:905): avc: denied { create } for pid=29920 comm="nsd" name="nsd-xfr-29920" scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
Expected results:
Additional info:
I was able to get NSD running with the following local policy:
policy_module(nsd-xfr, 1.0)
require {
type nsd_t;
};
# temp files
type nsd_tmp_t;
files_tmp_file(nsd_tmp_t)
# Allow nsd to create and use temp files and dirs
manage_dirs_pattern(nsd_t, nsd_tmp_t, nsd_tmp_t)
manage_files_pattern(nsd_t, nsd_tmp_t, nsd_tmp_t)
files_tmp_filetrans(nsd_t, nsd_tmp_t, { file dir })
Comment 1Fabio Alessandro Locati
2016-02-09 10:54:26 UTC