Bug 1572374
Summary: | [RHEL7] SELinux AVC when creating zones in BIND using rndc | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Rodrigo A B Freire <rfreire> |
Component: | bind | Assignee: | Petr Menšík <pemensik> |
Status: | CLOSED DUPLICATE | QA Contact: | qe-baseos-daemons |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 7.4 | CC: | bnemec, pemensik |
Target Milestone: | rc | Keywords: | EasyFix, SELinux |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-04-27 09:19:57 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Rodrigo A B Freire
2018-04-26 20:57:58 UTC
Evidences: [root@aa10-dns1 ~]# strace -fxvvtp 11191 -e trace=file strace: Process 11191 attached with 5 threads [pid 11192] 20:50:09 open("3bf305731dd26307.nzf", O_WRONLY|O_CREAT|O_APPEND, 0666) = -1 EACCES (Permission denied) [pid 11193] 20:50:24 open("3bf305731dd26307.nzf", O_WRONLY|O_CREAT|O_APPEND, 0666) = -1 EACCES (Permission denied) ^Cstrace: Process 11191 detached Setenforce 0: [root@aa10-dns1 ~]# strace -fxvvtp 11191 -e trace=file strace: Process 11191 attached with 5 threads [pid 11192] 20:51:10 open("3bf305731dd26307.nzf", O_WRONLY|O_CREAT|O_APPEND, 0666) = 6 [pid 11192] 20:51:10 stat("slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608", 0x7fc073e05e60) = -1 ENOENT (No such file or directory) [pid 11192] 20:51:10 stat("slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608", 0x7fc073e05e60) = -1 ENOENT (No such file or directory) [pid 11193] 20:51:10 unlink("slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608.jnl") = -1 ENOENT (No such file or directory) [pid 11193] 20:51:10 utimes("slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608.jnl", [{1524775870, 210100}, {1524775870, 210100}]) = -1 ENOENT (No such file or directory) [pid 11193] 20:51:10 utimes("slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608", [{1524775870, 210100}, {1524775870, 210100}]) = -1 ENOENT (No such file or directory) [pid 11193] 20:51:10 open("tmp-nlYDnGr8pf", O_RDWR|O_CREAT|O_EXCL, 0666) = 6 [pid 11193] 20:51:10 rename("tmp-nlYDnGr8pf", "slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608") = 0 [pid 11193] 20:51:10 open("slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608.jnl", O_RDONLY) = -1 ENOENT (No such file or directory) [pid 11193] 20:51:10 open("slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608.jbk", O_RDONLY) = -1 ENOENT (No such file or directory) [pid 11193] 20:51:15 utimes("slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608.jnl", [{1524775875, 194897}, {1524775875, 194897}]) = -1 ENOENT (No such file or directory) [pid 11193] 20:51:15 utimes("slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608", [{1524775875, 194897}, {1524775875, 194897}]) = 0 ^Cstrace: Process 11191 detached SELinux context: [root@aa10-dns1 named]# ls -Za /var/named drwxrwx---. root named system_u:object_r:named_zone_t:s0 . drwxr-xr-x. root root system_u:object_r:var_t:s0 .. -rw-r--r--. named named system_u:object_r:named_zone_t:s0 3bf305731dd26307.nzf drwxrwx---. named named system_u:object_r:named_cache_t:s0 data drwxrwx---. named named system_u:object_r:named_cache_t:s0 dynamic -rw-r-----. root named system_u:object_r:named_conf_t:s0 named.ca -rw-r-----. root named system_u:object_r:named_zone_t:s0 named.empty -rw-r-----. root named system_u:object_r:named_zone_t:s0 named.localhost -rw-r-----. root named system_u:object_r:named_zone_t:s0 named.loopback -rw-r--r--. named named system_u:object_r:named_zone_t:s0 slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608 drwxrwx---. named named system_u:object_r:named_cache_t:s0 slaves Audit AVCs: type=AVC msg=audit(1524775824.567:94): avc: denied { write } for pid=11191 comm="named" name="named" dev="dm-0" ino=2359494 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir type=AVC msg=audit(1524775839.754:95): avc: denied { write } for pid=11191 comm="named" name="named" dev="dm-0" ino=2359494 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir type=AVC msg=audit(1524775854.936:96): avc: denied { write } for pid=11191 comm="named" name="named" dev="dm-0" ino=2359494 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir type=AVC msg=audit(1524775870.116:98): avc: denied { write } for pid=11191 comm="named" name="named" dev="dm-0" ino=2359494 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir type=AVC msg=audit(1524775870.116:98): avc: denied { add_name } for pid=11191 comm="named" name="3bf305731dd26307.nzf" scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir type=AVC msg=audit(1524775870.116:98): avc: denied { create } for pid=11191 comm="named" name="3bf305731dd26307.nzf" scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=file type=AVC msg=audit(1524775870.116:98): avc: denied { append } for pid=11191 comm="named" path="/var/named/3bf305731dd26307.nzf" dev="dm-0" ino=2359658 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=file type=AVC msg=audit(1524775870.210:99): avc: denied { write } for pid=11191 comm="named" path="/var/named/tmp-nlYDnGr8pf" dev="dm-0" ino=2359454 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=file type=AVC msg=audit(1524775870.211:100): avc: denied { remove_name } for pid=11191 comm="named" name="tmp-nlYDnGr8pf" dev="dm-0" ino=2359454 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir type=AVC msg=audit(1524775870.211:100): avc: denied { rename } for pid=11191 comm="named" name="tmp-nlYDnGr8pf" dev="dm-0" ino=2359454 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=file type=AVC msg=audit(1524775875.194:101): avc: denied { setattr } for pid=11191 comm="named" name="slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608" dev="dm-0" ino=2359454 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=file I believe the fix for this is to do "sudo setsebool named_write_master_zones 1" when deploying BIND in an environment where you want it to create dynamic zones. I don't think this actually blocks https://bugzilla.redhat.com/show_bug.cgi?id=1374002 because puppet is already taking care of that for us. Hi Ben, I can confirm that setsebool named_write_master_zones 1 resolves this issue. I'm removing the blocker from the Designate tracker. @Assignee, Is it desired to have it enabled only on-demand? Honestly, I think that it can cause unneeded customer frustration and possible influx of support tickets. As a side note, If you don't chmod g+w /var/named it will not work either. This issue is already tracked in bug #1315821. I would like to change default to accept writing into home directory for more reasons. *** This bug has been marked as a duplicate of bug 1315821 *** |