Bug 1487912

Summary: SELinux is preventing sh from execute_no_trans access on the file /usr/libexec/dnssec-trigger-script
Product: [Fedora] Fedora Reporter: Stanislav Graf <sgraf>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 26CC: code, dimitris.on.linux, djasa, dwalsh, lsm5, lvrabec, me+bugs, mgrepl, mharri, pemensik, pj.pandit, plautrba, pmoore, pwouters, thozza, tomastrnka, tom
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-260.14.fc26 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-15 20:11:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stanislav Graf 2017-09-03 08:51:55 UTC 
Description of problem:
=======================

I'm getting selinux alerts while using unbound+dnssec, all started after upgrade to f26, autorelabel didn't help.

~~~
$ sealert -l 74107b33-d2e7-4f50-ab08-8e2aaa21b652
SELinux is preventing sh from execute_no_trans access on the file /usr/libexec/dnssec-trigger-script.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that sh should be allowed execute_no_trans access on the dnssec-trigger-script file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sh' --raw | audit2allow -M my-sh
# semodule -X 300 -i my-sh.pp


Additional Information:
Source Context                system_u:system_r:dnssec_trigger_t:s0
Target Context                system_u:object_r:dnssec_trigger_exec_t:s0
Target Objects                /usr/libexec/dnssec-trigger-script [ file ]
Source                        sh
Source Path                   sh
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           
Target RPM Packages           dnssec-trigger-0.13-3.fc26.x86_64
Policy RPM                    selinux-policy-3.13.1-260.6.fc26.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 4.12.8-300.fc26.x86_64
                              #1 SMP Thu Aug 17 15:30:20 UTC 2017 x86_64 x86_64
Alert Count                   580
First Seen                    2017-07-15 20:37:50 CEST
Last Seen                     2017-09-03 09:48:20 CEST
Local ID                      74107b33-d2e7-4f50-ab08-8e2aaa21b652

Raw Audit Messages
type=AVC msg=audit(1504424900.259:940): avc:  denied  { execute_no_trans } for  pid=4475 comm="sh" path="/usr/libexec/dnssec-trigger-script" dev="dm-0" ino=1280997 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:dnssec_trigger_exec_t:s0 tclass=file permissive=0


Hash: sh,dnssec_trigger_t,dnssec_trigger_exec_t,file,execute_no_trans
~~~

In the logs I see:
~~~
Sep 03 09:48:20 localhost.localdomain dnssec-triggerd[1020]: sh: /usr/libexec/dnssec-trigger-script: /usr/bin/python3: bad interpreter: Permission denied
Sep 03 09:48:20 localhost.localdomain audit[4475]: AVC avc:  denied  { execute_no_trans } for  pid=4475 comm="sh" path="/usr/libexec/dnssec-trigger-script" dev="dm-0" ino=1280997 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:dnssec_trigger_exec_t:s0 tclass=file permissive=0
Sep 03 09:48:20 localhost.localdomain dnssec-triggerd[1020]: ok
Sep 03 09:48:20 localhost.localdomain dnssec-triggerd[1020]: sh: /usr/libexec/dnssec-trigger-script: /usr/bin/python3: bad interpreter: Permission denied
Sep 03 09:48:19 localhost.localdomain audit[4471]: AVC avc:  denied  { execute_no_trans } for  pid=4471 comm="sh" path="/usr/libexec/dnssec-trigger-script" dev="dm-0" ino=1280997 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:dnssec_trigger_exec_t:s0 tclass=file permissive=0
Sep 03 09:48:19 localhost.localdomain dnssec-triggerd[1020]: ok
~~~
Comment 1 Tomáš Hozza 2017-09-04 08:00:12 UTC 
dnssec-trigger daemon needs to be able to execute /usr/libexec/dnssec-trigger-script. I'm not sure what changed in F26 policy again... Moving to selinux-policy.
Comment 2 Casey 2017-10-23 11:22:14 UTC 
I think this might be a dup of #1487912
Comment 3 Lukas Vrabec 2017-10-24 10:19:57 UTC 
*** Bug 1450481 has been marked as a duplicate of this bug. ***
Comment 4 Fedora Update System 2017-10-26 12:32:34 UTC 
selinux-policy-3.13.1-260.14.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d312739a4e
Comment 5 David Jaša 2017-11-07 09:37:55 UTC 
Description of problem:
I got this AVC at start of dnssec-trigger service right after its installation

Version-Release number of selected component:
selinux-policy-3.13.1-260.13.fc26.noarch

Additional info:
reporter:       libreport-2.9.1
hashmarkername: setroubleshoot
kernel:         4.13.9-200.fc26.x86_64
type:           libreport
Comment 6 Fedora Update System 2017-11-15 20:11:59 UTC 
selinux-policy-3.13.1-260.14.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.