Bug 1574003

Summary: BIND is not able to write into /var/named
Product: [Fedora] Fedora Reporter: Petr Menšík <pemensik>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: dmoppert, dwalsh, lvrabec, mgrepl, mmalik, pemensik, plautrba, qe-baseos-security, ssekidde, thozza
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-9.fc30 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1572647 Environment:
Last Closed: 2018-10-15 20:30:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1572647, 1633158    
Bug Blocks: 1422680, 1573998, 1580388, 1580389, 1639410    

Description Petr Menšík 2018-05-02 16:26:16 UTC 
+++ This bug was initially created as a clone of Bug #1572647 +++

Description of problem:
/var/named is not writeable unless named_write_master_zones is set. /var/named should have type named_cache_t instead of named_zone_t.

Version-Release number of selected component (if applicable):
selinux-policy-3.14.1-21.fc28.noarch

Additional info:

Traditionally our configuration did not allow bind writing into default home /var/named. This is protected also by selinux policy. Special subdirectories for writing are created: /var/named/{data,dynamic,slaves}.

Policy allows named_exec_t binary (named) to write only to named_cache_t. Writing to named_zone_t is possible only when setsetbool named_write_master_zones on is called.

For some reason this is already automatically exploited by bind-dyndb-ldap package, which sets named_write_master_zones on installation and disables on uninstallation. I think this requires /var/named/dyndb-ldap to be named_cache_t instead.

It is common to maintain DNSSEC signatures also in master zones from BIND. Static zones that are never modified by daemon are no longer dominant. I think writeable /var/named should be enabled by default. In that case named_write_master_zones would be obsolete and named_cache_t should be used instead of named_zone_t for whole /var/named, where named_zone_t were used before.

Block bug #1422680

[1] https://bugs.isc.org/Public/Bug/Display.html?id=46242

--- Additional comment from Petr Menšík on 2018-04-27 16:09:38 CEST ---

I think it would be sufficient to leave protection of non-writeable zones to unix rights. Because dac_override is not granted, it should be secure enough. Product security agreed with that.
Comment 1 Lukas Vrabec 2018-10-15 16:11:54 UTC 
commit f0c5a683216a296b2944f9274cafc5b223205f0c
Author: Lukas Vrabec <lvrabec>
Date:   Fri Oct 12 16:11:54 2018 +0200

    Turn named_write_master_zones boolean on by default.