Bug 1950714
| Summary: | SELinux is preventing /usr/sbin/named from 'name_bind' accesses on the udp_socket port 61000. | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Peter Tselios <tselios.petros> | |
| Component: | bind | Assignee: | Petr Menšík <pemensik> | |
| Status: | CLOSED ERRATA | QA Contact: | Petr Sklenar <psklenar> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 8.3 | CC: | bnater, lvrabec, mmalik, plautrba, psklenar, ssekidde, zpytela | |
| Target Milestone: | beta | Keywords: | AutoVerified, TestCaseProvided, Triaged | |
| Target Release: | --- | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | bind-9.11.26-8.el8 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2013595 2013597 (view as bug list) | Environment: | ||
| Last Closed: | 2022-05-10 15:29:44 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2013595, 2013597, 2144069 | |||
|
Description
Peter Tselios
2021-04-18 05:05:19 UTC
Switching the component to bind for the maintainer to assess. BIND reads ephemeral values from /proc/sys/net/ipv4/ip_local_port_range file during startup. It should adjust its used range during startup, reported in log.
journalctl -xeu named | grep 'port range'
...named[5001]: using default UDP/IPv4 port range: [32768, 60999]
However, bind-chroot package and named-chroot service do not propagate /proc to chroot, so it cannot read used range from the system. It therefore falls back to defaults, which are blocked by selinux.
journalctl -xeu named-chroot | grep 'port range'
named[5126]: using default UDP/IPv6 port range: [1024, 65535]
It would therefore use also blocked ports by SELinux in this case. I think we do not want whole /proc propagated into chroot for security reasons. But I guess this single file should be propagated there.
Possible workarounds are:
- Not using bind-chroot/named-chroot, but using just named.service. With SELinux enforcing mode it should be well protected even without chroot. chroot is a weak protection compared to SELinux.
- mkdir -p /var/named/chroot/proc/sys/net/ipv4; add /proc/sys/net/ipv4/ip_local_port_range to /etc/named-chroot.files before /var/named
- Add into options section in /etc/named.conf:
use-v4-udp-ports { range 32768 60999; };
use-v6-udp-ports { range 32768 60999; };
(In reply to Petr Menšík from comment #3) > Possible workarounds are: > - Not using bind-chroot/named-chroot, but using just named.service. With > SELinux enforcing mode it should be well protected even without chroot. > chroot is a weak protection compared to SELinux. Personally, I'd not stop using chroot, especially for the cases where customers decide not to use SELinux protection. Also note SELinux can be put into permissive mode temporarily. > - mkdir -p /var/named/chroot/proc/sys/net/ipv4; add > /proc/sys/net/ipv4/ip_local_port_range to /etc/named-chroot.files before > /var/named > - Add into options section in /etc/named.conf: > use-v4-udp-ports { range 32768 60999; }; > use-v6-udp-ports { range 32768 60999; }; Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: bind security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:2092 |