Bug 1683754
| Summary: | bind cannot access /proc/sys/net/ipv4/ip_local_port_range | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Petr Menšík <pemensik> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.7 | CC: | kwalker, lvrabec, mmalik, plautrba, ssekidde, vmojzis, zpytela |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-08-06 12:53:24 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1640561, 1701969 | ||
# rpm -qa bind\* selinux\* | sort
bind-9.11.4-2.P2.el7.x86_64
bind-libs-9.11.4-2.P2.el7.x86_64
bind-libs-lite-9.11.4-2.P2.el7.x86_64
bind-license-9.11.4-2.P2.el7.noarch
selinux-policy-3.13.1-236.el7.noarch
selinux-policy-targeted-3.13.1-236.el7.noarch
#
Appeared in enforcing mode:
----
type=PROCTITLE msg=audit(03/04/2019 08:17:37.492:378) : proctitle=/usr/sbin/named -u named -c /etc/named.conf
type=SYSCALL msg=audit(03/04/2019 08:17:37.492:378) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x7f7bfa47c1c0 a1=O_RDONLY a2=0x1b6 a3=0x24 items=0 ppid=12634 pid=12636 auid=unset uid=named gid=named euid=named suid=named fsuid=named egid=named sgid=named fsgid=named tty=(none) ses=unset comm=isc-worker0000 exe=/usr/sbin/named subj=system_u:system_r:named_t:s0 key=(null)
type=AVC msg=audit(03/04/2019 08:17:37.492:378) : avc: denied { search } for pid=12636 comm=isc-worker0000 name=net dev="proc" ino=7441 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0
----
Appeared in permissive mode:
----
type=PROCTITLE msg=audit(03/04/2019 08:18:19.003:387) : proctitle=/usr/sbin/named -u named -c /etc/named.conf
type=SYSCALL msg=audit(03/04/2019 08:18:19.003:387) : arch=x86_64 syscall=open success=yes exit=11 a0=0x7f392329b1c0 a1=O_RDONLY a2=0x1b6 a3=0x24 items=0 ppid=12700 pid=12702 auid=unset uid=named gid=named euid=named suid=named fsuid=named egid=named sgid=named fsgid=named tty=(none) ses=unset comm=isc-worker0000 exe=/usr/sbin/named subj=system_u:system_r:named_t:s0 key=(null)
type=AVC msg=audit(03/04/2019 08:18:19.003:387) : avc: denied { open } for pid=12702 comm=isc-worker0000 path=/proc/sys/net/ipv4/ip_local_port_range dev="proc" ino=37652 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(03/04/2019 08:18:19.003:387) : avc: denied { read } for pid=12702 comm=isc-worker0000 name=ip_local_port_range dev="proc" ino=37652 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(03/04/2019 08:18:19.003:387) : avc: denied { search } for pid=12702 comm=isc-worker0000 name=net dev="proc" ino=7441 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=1
----
type=PROCTITLE msg=audit(03/04/2019 08:18:19.003:388) : proctitle=/usr/sbin/named -u named -c /etc/named.conf
type=SYSCALL msg=audit(03/04/2019 08:18:19.003:388) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0xb a1=0x7f3920838240 a2=0x7f3920838240 a3=0x7f39208381a0 items=0 ppid=12700 pid=12702 auid=unset uid=named gid=named euid=named suid=named fsuid=named egid=named sgid=named fsgid=named tty=(none) ses=unset comm=isc-worker0000 exe=/usr/sbin/named subj=system_u:system_r:named_t:s0 key=(null)
type=AVC msg=audit(03/04/2019 08:18:19.003:388) : avc: denied { getattr } for pid=12702 comm=isc-worker0000 path=/proc/sys/net/ipv4/ip_local_port_range dev="proc" ino=37652 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
----
*** Bug 1701969 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2127 |
Description of problem: After a bind rebase to 9.11 version, AVC failures occur in tests. It seems new BIND tries to read current used port ranges from /proc/sys/net/ipv4/ip_local_port_range everytime. Version-Release number of selected component (if applicable): selinux-policy-3.13.1-229.el7_6.9.noarch bind-9.11.4-1.P2.el7.x86_64 How reproducible: always Steps to Reproduce: 1. yum install bind 2. systemctl restart named 3. Actual results: type=PROCTITLE msg=audit(02/27/2019 11:18:00.906:150) : proctitle=/usr/sbin/named -u named -c /etc/named.conf type=SYSCALL msg=audit(02/27/2019 11:18:00.906:150) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x7f37a44b31c0 a1=O_RDONLY a2=0x1b6 a3=0x24 items=0 ppid=10603 pid=10605 auid=unset uid=named gid=named euid=named suid=named fsuid=named egid=named sgid=named fsgid=named tty=(none) ses=unset comm=isc-worker0000 exe=/usr/sbin/named subj=system_u:system_r:named_t:s0 key=(null) type=AVC msg=audit(02/27/2019 11:18:00.906:150) : avc: denied { search } for pid=10605 comm=isc-worker0000 name=net dev="proc" ino=8221 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0 Expected results: no AVC failures Additional info: Reading values can be supressed by use-v6-udp-ports and use-v6-udp-ports options. It would be great if those could be read from system, without manual configuration. It seems to me it requires kernel_read_net_sysctls(named_t)