Bug 1305522
Summary: | pdns 4.0.0 alpha 1 fails to start | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Morten Stevens <mstevens> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | dominick.grift, dwalsh, eparis, lvrabec, mgrepl, plautrba, pmoore, ruben, sdsmall |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-02-20 11:22:01 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Morten Stevens
2016-02-08 13:51:54 UTC
Update: pdns fails to start with "NoNewPrivileges=true" if selinux is set to enforcing. If I remove "NoNewPrivileges=true" from the systemd unit file pdns starts fine... This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle. Changing version to '24'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase We have seen similar issues to this using docker and prctl(NO_NEW_PRIVS) TO make this work we need to change SELinux policy to do something like typebounds init_t pdns_t; allow init_t pdns_exec_t:file entrypoint; NO_NEW_PRIVS is preventing SELinux transitioning. unless the parent process bounds the lower process, in this case init_t has to have all of the access in pdns_exec_t. This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle. Changing version to '25'. Any news here? I have tested it with the latest selinux-policy (rawhide) and the error still exists if I set NoNewPrivileges=true to the systemd unit file. type=SELINUX_ERR msg=audit(1508071664.780:538): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:pdns_t:s0 type=AVC msg=audit(1508071664.780:539): avc: denied { map } for pid=2834 comm="pdns_server" path="/usr/sbin/pdns_server" dev="dm-0" ino=1444669 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pdns_exec_t:s0 tclass=file permissive=0 It would be great to get an update for this issue. I added fixes do github selinux-policy repo. They should be included in the next selinux-policy Rawhide and F27 update. (In reply to Lukas Vrabec from comment #6) > I added fixes do github selinux-policy repo. They should be included in the > next selinux-policy Rawhide and F27 update. Thank you. I tried the latest selinux-policy package, but I still got these errors: # rpm -q selinux-policy selinux-policy-3.13.1-297.fc28.noarch type=AVC msg=audit(1508506948.449:4773): avc: denied { nnp_transition } for pid=27417 comm="(s_server)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:pdns_t:s0 tclass=process2 permissive=0 type=SELINUX_ERR msg=audit(1508506948.449:4774): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:pdns_t:s0 type=AVC msg=audit(1508506948.450:4775): avc: denied { map } for pid=27417 comm="pdns_server" path="/usr/sbin/pdns_server" dev="sda3" ino=3457732 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pdns_exec_t:s0 tclass=file permissive=0 type=ANOM_ABEND msg=audit(1508506948.450:4776): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:init_t:s0 pid=27417 comm="pdns_server" exe="/usr/sbin/pdns_server" sig=11 res=1 Maybe the fix in selinux-policy-3.13.1-297 is not enough? Morten, Agree, I added fixes, selinux-policy-3.13.1-298 will fix it. Lukas, Thank you. I tried the latest selinux-policy-3.13.1-298 package and the issue has been fixed. This will be also backported with the next F27 update? Yes, It will be part of next selinux-policy F27 update. |