Bug 1305522
| Summary: | pdns 4.0.0 alpha 1 fails to start | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Morten Stevens <mstevens> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | dominick.grift, dwalsh, eparis, lvrabec, mgrepl, plautrba, pmoore, ruben, sdsmall |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-02-20 11:22:01 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Update: pdns fails to start with "NoNewPrivileges=true" if selinux is set to enforcing. If I remove "NoNewPrivileges=true" from the systemd unit file pdns starts fine... This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle. Changing version to '24'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase We have seen similar issues to this using docker and prctl(NO_NEW_PRIVS) TO make this work we need to change SELinux policy to do something like typebounds init_t pdns_t; allow init_t pdns_exec_t:file entrypoint; NO_NEW_PRIVS is preventing SELinux transitioning. unless the parent process bounds the lower process, in this case init_t has to have all of the access in pdns_exec_t. This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle. Changing version to '25'. Any news here? I have tested it with the latest selinux-policy (rawhide) and the error still exists if I set NoNewPrivileges=true to the systemd unit file.
type=SELINUX_ERR msg=audit(1508071664.780:538): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:pdns_t:s0
type=AVC msg=audit(1508071664.780:539): avc: denied { map } for pid=2834 comm="pdns_server" path="/usr/sbin/pdns_server" dev="dm-0" ino=1444669 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pdns_exec_t:s0 tclass=file permissive=0
It would be great to get an update for this issue.
I added fixes do github selinux-policy repo. They should be included in the next selinux-policy Rawhide and F27 update. (In reply to Lukas Vrabec from comment #6) > I added fixes do github selinux-policy repo. They should be included in the > next selinux-policy Rawhide and F27 update. Thank you. I tried the latest selinux-policy package, but I still got these errors: # rpm -q selinux-policy selinux-policy-3.13.1-297.fc28.noarch type=AVC msg=audit(1508506948.449:4773): avc: denied { nnp_transition } for pid=27417 comm="(s_server)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:pdns_t:s0 tclass=process2 permissive=0 type=SELINUX_ERR msg=audit(1508506948.449:4774): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:pdns_t:s0 type=AVC msg=audit(1508506948.450:4775): avc: denied { map } for pid=27417 comm="pdns_server" path="/usr/sbin/pdns_server" dev="sda3" ino=3457732 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pdns_exec_t:s0 tclass=file permissive=0 type=ANOM_ABEND msg=audit(1508506948.450:4776): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:init_t:s0 pid=27417 comm="pdns_server" exe="/usr/sbin/pdns_server" sig=11 res=1 Maybe the fix in selinux-policy-3.13.1-297 is not enough? Morten, Agree, I added fixes, selinux-policy-3.13.1-298 will fix it. Lukas, Thank you. I tried the latest selinux-policy-3.13.1-298 package and the issue has been fixed. This will be also backported with the next F27 update? Yes, It will be part of next selinux-policy F27 update. |
Description of problem: The latest technical preview of PowerDNS 4.0.0 alpha 1 fails to start if selinux is set to enforcing. Version-Release number of selected component (if applicable): selinux-policy-3.13.1-169.fc24.noarch pdns-4.0.0-0.2.alpha1.fc24.x86_64 How reproducible: 1. yum install pdns 2. systemctl start pdns Actual results: /var/log/messages Feb 8 14:46:03 fc24 systemd: Starting PowerDNS Authoritative Server... Feb 8 14:46:03 fc24 audit: AVC avc: denied { mounton } for pid=1873 comm="(s_server)" path="/etc" dev="dm-0" ino=6029313 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 Feb 8 14:46:03 fc24 audit: SELINUX_ERR op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:pdns_t:s0 Feb 8 14:46:03 fc24 audit: AVC avc: denied { execute_no_trans } for pid=1873 comm="(s_server)" path="/usr/sbin/pdns_server" dev="dm-0" ino=1443993 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pdns_exec_t:s0 tclass=file permissive=0 Feb 8 14:46:03 fc24 systemd: pdns.service: Failed at step EXEC spawning /usr/sbin/pdns_server: Permission denied Feb 8 14:46:03 fc24 systemd: pdns.service: Control process exited, code=exited status=203 Feb 8 14:46:03 fc24 systemd: Failed to start PowerDNS Authoritative Server. Feb 8 14:46:03 fc24 systemd: pdns.service: Unit entered failed state. Feb 8 14:46:03 fc24 audit: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' Feb 8 14:46:03 fc24 systemd: pdns.service: Failed with result 'exit-code'. Feb 8 14:46:03 fc24 systemd: pdns.service: Service hold-off time over, scheduling restart. Feb 8 14:46:03 fc24 systemd: Stopped PowerDNS Authoritative Server. Feb 8 14:46:03 fc24 audit: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Feb 8 14:46:03 fc24 audit: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Feb 8 14:46:03 fc24 systemd: Starting PowerDNS Authoritative Server... Feb 8 14:46:03 fc24 audit: AVC avc: denied { mounton } for pid=1881 comm="(s_server)" path="/etc" dev="dm-0" ino=6029313 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 Feb 8 14:46:03 fc24 audit: SELINUX_ERR op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:pdns_t:s0 Feb 8 14:46:03 fc24 audit: AVC avc: denied { execute_no_trans } for pid=1881 comm="(s_server)" path="/usr/sbin/pdns_server" dev="dm-0" ino=1443993 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pdns_exec_t:s0 tclass=file permissive=0 Feb 8 14:46:03 fc24 systemd: pdns.service: Failed at step EXEC spawning /usr/sbin/pdns_server: Permission denied Feb 8 14:46:03 fc24 systemd: pdns.service: Control process exited, code=exited status=203 Feb 8 14:46:03 fc24 systemd: Failed to start PowerDNS Authoritative Server. Feb 8 14:46:03 fc24 systemd: pdns.service: Unit entered failed state. /var/log/audit/audit.log type=AVC msg=audit(1454939349.865:438): avc: denied { mounton } for pid=2008 comm="(s_server)" path="/etc" dev="dm-0" ino=6029313 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 type=SELINUX_ERR msg=audit(1454939349.866:439): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:pdns_t:s0 type=AVC msg=audit(1454939349.866:440): avc: denied { execute_no_trans } for pid=2008 comm="(s_server)" path="/usr/sbin/pdns_server" dev="dm-0" ino=1443993 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pdns_exec_t:s0 tclass=file permissive=0 type=SERVICE_START msg=audit(1454939349.871:441): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' type=SERVICE_START msg=audit(1454939350.082:442): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_STOP msg=audit(1454939350.082:443): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1454939350.098:444): avc: denied { mounton } for pid=2013 comm="(s_server)" path="/etc" dev="dm-0" ino=6029313 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 type=SELINUX_ERR msg=audit(1454939350.099:445): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:pdns_t:s0 type=AVC msg=audit(1454939350.099:446): avc: denied { execute_no_trans } for pid=2013 comm="(s_server)" path="/usr/sbin/pdns_server" dev="dm-0" ino=1443993 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pdns_exec_t:s0 tclass=file permissive=0 type=SERVICE_START msg=audit(1454939350.104:447): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' type=SERVICE_START msg=audit(1454939350.332:448): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_STOP msg=audit(1454939350.332:449): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1454939350.347:450): avc: denied { mounton } for pid=2020 comm="(s_server)" path="/etc" dev="dm-0" ino=6029313 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 type=SELINUX_ERR msg=audit(1454939350.348:451): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:pdns_t:s0 type=AVC msg=audit(1454939350.348:452): avc: denied { execute_no_trans } for pid=2020 comm="(s_server)" path="/usr/sbin/pdns_server" dev="dm-0" ino=1443993 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pdns_exec_t:s0 tclass=file permissive=0 type=SERVICE_START msg=audit(1454939350.353:453): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' type=SERVICE_START msg=audit(1454939350.582:454): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_STOP msg=audit(1454939350.582:455): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_START msg=audit(1454939350.605:456): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_STOP msg=audit(1454939350.605:457): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'