Bug 1821122
| Summary: | A missing selinux rule is preventing pcp-pmda-named from executing /usr/sbin/rndc | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jan Kurik <jkurik> |
| Component: | pcp | Assignee: | Nathan Scott <nathans> |
| Status: | CLOSED WONTFIX | QA Contact: | Jan Kurik <jkurik> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.8 | CC: | agerstmayr, jkurik, mgoodwin, nathans, patrickm |
| Target Milestone: | rc | Keywords: | Bugfix, Triaged |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-04-30 00:01:48 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Resolved upstream via:
commit 57d763755cd081802d7074cb11af41c51173b98c
Author: Nathan Scott <nathans>
Date: Tue Apr 7 10:15:41 2020 +1000
selinux: additional policy needs for named PMDA in el7
Resolves Red Hat BZ #1821122.
As there is no RHEL 7.10 planned, marking this as WONTFIX. RHEL 8.3 required different changes so I think we've done everything we can here for now. |
Description of problem: pcp-pmda-named uses /usr/sbin/rndc to get data from named. Unfortunately when pcp-pmda-named executes /usr/sbin/rndc the execution fails due to a missing SELinux rule allowing the execution of rndc. Version-Release number of selected component (if applicable): pcp-4.3.2-8.el7 selinux-policy-3.13.1-266.el7 pcp-selinux-4.3.2-8.el7 pcp-pmda-named-4.3.2-8.el7 How reproducible: Always Steps to Reproduce: 1. Install pcp with pcp-pmda-named 2. Install bind, bind-chroot, caching-nameserver, bind-utils packages 3. Configure bind as a caching nameserver 4. Start PCP as well as bind 5. Use i.e. "dig @127.0.0.1" to query DNS Actual results: Output of "audit2allow -a" shows: <stdout> #============= pcp_pmcd_t ============== allow pcp_pmcd_t ndc_exec_t:file execute_no_trans; </stdout> # grep 'type=AVC ' /var/log/audit/audit.log | head -n 1 type=AVC msg=audit(1586150510.119:1454): avc: denied { execute_no_trans } for pid=30473 comm="perl" path="/usr/sbin/rndc" dev="vda1" ino=7449669 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:ndc_exec_t:s0 tclass=file permissive=0 Expected results: Output of "audit2allow -a" should be empty. No AVC records in "/var/log/audit/audit.log". Additional info: This is a follow-up of BZ1749870.