Bug 1572374
| Summary: | [RHEL7] SELinux AVC when creating zones in BIND using rndc | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Rodrigo A B Freire <rfreire> |
| Component: | bind | Assignee: | Petr Menšík <pemensik> |
| Status: | CLOSED DUPLICATE | QA Contact: | qe-baseos-daemons |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.4 | CC: | bnemec, pemensik |
| Target Milestone: | rc | Keywords: | EasyFix, SELinux |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-04-27 09:19:57 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Rodrigo A B Freire
2018-04-26 20:57:58 UTC
Evidences:
[root@aa10-dns1 ~]# strace -fxvvtp 11191 -e trace=file
strace: Process 11191 attached with 5 threads
[pid 11192] 20:50:09 open("3bf305731dd26307.nzf", O_WRONLY|O_CREAT|O_APPEND, 0666) = -1 EACCES (Permission denied)
[pid 11193] 20:50:24 open("3bf305731dd26307.nzf", O_WRONLY|O_CREAT|O_APPEND, 0666) = -1 EACCES (Permission denied)
^Cstrace: Process 11191 detached
Setenforce 0:
[root@aa10-dns1 ~]# strace -fxvvtp 11191 -e trace=file
strace: Process 11191 attached with 5 threads
[pid 11192] 20:51:10 open("3bf305731dd26307.nzf", O_WRONLY|O_CREAT|O_APPEND, 0666) = 6
[pid 11192] 20:51:10 stat("slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608", 0x7fc073e05e60) = -1 ENOENT (No such file or directory)
[pid 11192] 20:51:10 stat("slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608", 0x7fc073e05e60) = -1 ENOENT (No such file or directory)
[pid 11193] 20:51:10 unlink("slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608.jnl") = -1 ENOENT (No such file or directory)
[pid 11193] 20:51:10 utimes("slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608.jnl", [{1524775870, 210100}, {1524775870, 210100}]) = -1 ENOENT (No such file or directory)
[pid 11193] 20:51:10 utimes("slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608", [{1524775870, 210100}, {1524775870, 210100}]) = -1 ENOENT (No such file or directory)
[pid 11193] 20:51:10 open("tmp-nlYDnGr8pf", O_RDWR|O_CREAT|O_EXCL, 0666) = 6
[pid 11193] 20:51:10 rename("tmp-nlYDnGr8pf", "slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608") = 0
[pid 11193] 20:51:10 open("slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608.jnl", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid 11193] 20:51:10 open("slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608.jbk", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid 11193] 20:51:15 utimes("slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608.jnl", [{1524775875, 194897}, {1524775875, 194897}]) = -1 ENOENT (No such file or directory)
[pid 11193] 20:51:15 utimes("slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608", [{1524775875, 194897}, {1524775875, 194897}]) = 0
^Cstrace: Process 11191 detached
SELinux context:
[root@aa10-dns1 named]# ls -Za /var/named
drwxrwx---. root named system_u:object_r:named_zone_t:s0 .
drwxr-xr-x. root root system_u:object_r:var_t:s0 ..
-rw-r--r--. named named system_u:object_r:named_zone_t:s0 3bf305731dd26307.nzf
drwxrwx---. named named system_u:object_r:named_cache_t:s0 data
drwxrwx---. named named system_u:object_r:named_cache_t:s0 dynamic
-rw-r-----. root named system_u:object_r:named_conf_t:s0 named.ca
-rw-r-----. root named system_u:object_r:named_zone_t:s0 named.empty
-rw-r-----. root named system_u:object_r:named_zone_t:s0 named.localhost
-rw-r-----. root named system_u:object_r:named_zone_t:s0 named.loopback
-rw-r--r--. named named system_u:object_r:named_zone_t:s0 slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608
drwxrwx---. named named system_u:object_r:named_cache_t:s0 slaves
Audit AVCs:
type=AVC msg=audit(1524775824.567:94): avc: denied { write } for pid=11191 comm="named" name="named" dev="dm-0" ino=2359494 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
type=AVC msg=audit(1524775839.754:95): avc: denied { write } for pid=11191 comm="named" name="named" dev="dm-0" ino=2359494 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
type=AVC msg=audit(1524775854.936:96): avc: denied { write } for pid=11191 comm="named" name="named" dev="dm-0" ino=2359494 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
type=AVC msg=audit(1524775870.116:98): avc: denied { write } for pid=11191 comm="named" name="named" dev="dm-0" ino=2359494 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
type=AVC msg=audit(1524775870.116:98): avc: denied { add_name } for pid=11191 comm="named" name="3bf305731dd26307.nzf" scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
type=AVC msg=audit(1524775870.116:98): avc: denied { create } for pid=11191 comm="named" name="3bf305731dd26307.nzf" scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=file
type=AVC msg=audit(1524775870.116:98): avc: denied { append } for pid=11191 comm="named" path="/var/named/3bf305731dd26307.nzf" dev="dm-0" ino=2359658 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=file
type=AVC msg=audit(1524775870.210:99): avc: denied { write } for pid=11191 comm="named" path="/var/named/tmp-nlYDnGr8pf" dev="dm-0" ino=2359454 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=file
type=AVC msg=audit(1524775870.211:100): avc: denied { remove_name } for pid=11191 comm="named" name="tmp-nlYDnGr8pf" dev="dm-0" ino=2359454 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
type=AVC msg=audit(1524775870.211:100): avc: denied { rename } for pid=11191 comm="named" name="tmp-nlYDnGr8pf" dev="dm-0" ino=2359454 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=file
type=AVC msg=audit(1524775875.194:101): avc: denied { setattr } for pid=11191 comm="named" name="slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608" dev="dm-0" ino=2359454 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=file
I believe the fix for this is to do "sudo setsebool named_write_master_zones 1" when deploying BIND in an environment where you want it to create dynamic zones. I don't think this actually blocks https://bugzilla.redhat.com/show_bug.cgi?id=1374002 because puppet is already taking care of that for us. Hi Ben, I can confirm that setsebool named_write_master_zones 1 resolves this issue. I'm removing the blocker from the Designate tracker. @Assignee, Is it desired to have it enabled only on-demand? Honestly, I think that it can cause unneeded customer frustration and possible influx of support tickets. As a side note, If you don't chmod g+w /var/named it will not work either. This issue is already tracked in bug #1315821. I would like to change default to accept writing into home directory for more reasons. *** This bug has been marked as a duplicate of bug 1315821 *** |