Bug 2029866

Summary: SELinux prevents inotify on /etc/dnsmasq.d and tree under it
Product: Red Hat Enterprise Linux 9 Reporter: Riccardo Pittau <rpittau>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.0CC: bstinson, jwboyer, lvrabec, mmalik, rpittau, ssekidde
Target Milestone: rcKeywords: AutoVerified, Triaged
Target Release: 9.0Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-34.1.20-1.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-17 15:50:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Riccardo Pittau 2021-12-07 13:51:39 UTC 
Description of problem:
SELinux prevents inotify on /etc/dnsmasq.d and tree under it
the "watch" permission is missing on the dnsmasq_etc_t label


Version-Release number of selected component (if applicable):
dnsmasq-2.85-2.el9.x86_64
selinux-policy-34.1.18-1.el9.noarch
selinux-policy-targeted-34.1.18-1.el9.noarch

How reproducible:
100%

Steps to Reproduce:
1. set dhcp-hostsdir in dnsmasq configuration
2. start dnsmasq

Actual results:
example:
dnsmasq[9647]: failed to create inotify for /etc/dnsmasq.d/bifrost.dhcp-hosts.d: Permission denied

type=AVC msg=audit(1637861385.080:2976): avc:  denied  { watch } for  pid=17959 comm="dnsmasq" path="/etc/dnsmasq.d/bifrost.dhcp-hosts.d" dev="sda1" ino=452357 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=unconfined_u:object_r:dnsmasq_etc_t:s0 tclass=dir permissive=0

Expected results:
should be able to set inotify on /etc/dnsmasq.d

Additional info:
after adding the "watch" permission to dnsmasq_etc_t everything works fine
Comment 1 Milos Malik 2021-12-07 14:44:08 UTC 
# tail -n 2 /etc/dnsmasq.conf 
hostsdir=/etc/dnsmasq.d
# service dnsmasq restart
Redirecting to /bin/systemctl restart dnsmasq.service
#

Following SELinux denial appeared in enforcing mode:
----
type=PROCTITLE msg=audit(12/07/2021 09:38:48.124:320) : proctitle=/usr/sbin/dnsmasq 
type=PATH msg=audit(12/07/2021 09:38:48.124:320) : item=0 name=/etc/dnsmasq.d inode=29360448 dev=fd:01 mode=dir,755 ouid=root ogid=dnsmasq rdev=00:00 obj=system_u:object_r:dnsmasq_etc_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(12/07/2021 09:38:48.124:320) : cwd=/ 
type=SYSCALL msg=audit(12/07/2021 09:38:48.124:320) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x8 a1=0x5586fa914c70 a2=0x88 a3=0x0 items=1 ppid=1 pid=5720 auid=unset uid=dnsmasq gid=dnsmasq euid=dnsmasq suid=dnsmasq fsuid=dnsmasq egid=dnsmasq sgid=dnsmasq fsgid=dnsmasq tty=(none) ses=unset comm=dnsmasq exe=/usr/sbin/dnsmasq subj=system_u:system_r:dnsmasq_t:s0 key=(null) 
type=AVC msg=audit(12/07/2021 09:38:48.124:320) : avc:  denied  { watch } for  pid=5720 comm=dnsmasq path=/etc/dnsmasq.d dev="vda1" ino=29360448 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:dnsmasq_etc_t:s0 tclass=dir permissive=0 
----

Following SELinux denial appeared in permissive mode:
----
type=PROCTITLE msg=audit(12/07/2021 09:41:03.126:326) : proctitle=/usr/sbin/dnsmasq 
type=PATH msg=audit(12/07/2021 09:41:03.126:326) : item=0 name=/etc/dnsmasq.d inode=29360448 dev=fd:01 mode=dir,755 ouid=root ogid=dnsmasq rdev=00:00 obj=system_u:object_r:dnsmasq_etc_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(12/07/2021 09:41:03.126:326) : cwd=/ 
type=SYSCALL msg=audit(12/07/2021 09:41:03.126:326) : arch=x86_64 syscall=inotify_add_watch success=yes exit=2 a0=0x8 a1=0x556fd368bc70 a2=0x88 a3=0x0 items=1 ppid=1 pid=5733 auid=unset uid=dnsmasq gid=dnsmasq euid=dnsmasq suid=dnsmasq fsuid=dnsmasq egid=dnsmasq sgid=dnsmasq fsgid=dnsmasq tty=(none) ses=unset comm=dnsmasq exe=/usr/sbin/dnsmasq subj=system_u:system_r:dnsmasq_t:s0 key=(null) 
type=AVC msg=audit(12/07/2021 09:41:03.126:326) : avc:  denied  { watch } for  pid=5733 comm=dnsmasq path=/etc/dnsmasq.d dev="vda1" ino=29360448 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:dnsmasq_etc_t:s0 tclass=dir permissive=1 
----
Comment 3 Zdenek Pytela 2021-12-07 17:10:32 UTC 
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/969
Comment 5 Zdenek Pytela 2021-12-09 19:34:01 UTC 
To backport:
commit 359d7cdc59a69c39c9f1d00890002dc7150b918a (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date:   Tue Dec 7 18:08:01 2021 +0100

    Allow dnsmasq watch /etc/dnsmasq.d directories
Comment 13 errata-xmlrpc 2022-05-17 15:50:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: selinux-policy), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3918