Bug 2047945

Summary:

Additions to the PowerDNS SELinux policy

Product:

Red Hat Enterprise Linux 9

Reporter:

Jon Schewe <jon.schewe>

Component:

selinux-policy

Assignee:

Nobody <nobody>

Status:

CLOSED ERRATA

QA Contact:

Milos Malik <mmalik>

Severity:

medium

Docs Contact:

Priority:

medium

Version:

9.2

CC:

kevin, lvrabec, mastahnke, mmalik, ms, peljasz, ruben, sander, smooge, zpytela

Target Milestone:

Keywords:

Triaged

Target Release:

---

Hardware:

All

OS:

Linux

Whiteboard:

Fixed In Version:

selinux-policy-38.1.20-1.el9

Doc Type:

Bug Fix

Doc Text:

Cause: PowerDNS requires name_bind and name_connect all ports and read kerberos key table Consequence: SELinux denied powerdns name connect and name bind to all ports and read kerberos key table Fix: Allow powerdns name bind all udp sockets and name connect all tcp sockets. Allow powerdns read the kerberos key table. Result: No denials

Story Points:

---

Clone Of:

Environment:

Last Closed:

2023-11-07 08:52:15 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Deadline:

2023-08-08

Attachments:

Description	Flags
pdns.conf file	none

Description Jon Schewe 2022-01-28 22:26:31 UTC

We have recently installed PowerDNS and found that the SELinux profile is missing some items. The items that we needed to add are listed below. Can these be added to future releases of the selinux profile for PowerDNS in EPEL?

I asked RedHat about this and they said to contact the Fedora team.


module pdns_extra 1.0;

require {
  type pdns_t;
  type krb5_keytab_t;
  type unreserved_port_t;
  class udp_socket name_bind;
  class dir search;
}

# allow pdns to search for a kerberos keytab
allow pdns_t krb5_keytab_t:dir search;

# allow pdns to bind to unreserved udp ports
# bind does this too, so we assume it's ok
allow pdns_t unreserved_port_t:udp_socket name_bind;

Comment 2 Milos Malik 2023-06-06 10:10:25 UTC

I'm not able to reproduce any SELinux denials which would be related to policy rules listed in the comment#0.

But the following SELinux denial appears several times when I enable the ldap backend of PowerDNS:
----
type=PROCTITLE msg=audit(06/06/2023 05:58:07.435:2054) : proctitle=/usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no 
type=SOCKADDR msg=audit(06/06/2023 05:58:07.435:2054) : saddr={ saddr_fam=inet laddr=127.0.0.1 lport=389 } 
type=SYSCALL msg=audit(06/06/2023 05:58:07.435:2054) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x9 a1=0x562512a0c6a0 a2=0x10 a3=0x1 items=0 ppid=1 pid=6320 auid=unset uid=pdns gid=pdns euid=pdns suid=pdns fsuid=pdns egid=pdns sgid=pdns fsgid=pdns tty=(none) ses=unset comm=pdns_server exe=/usr/sbin/pdns_server subj=system_u:system_r:pdns_t:s0 key=(null) 
type=AVC msg=audit(06/06/2023 05:58:07.435:2054) : avc:  denied  { name_connect } for  pid=6320 comm=pdns_server dest=389 scontext=system_u:system_r:pdns_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket permissive=0 
----

# grep launch /etc/pdns/pdns.conf 
# launch	Which backends to launch and order to query them in
launch=ldap
#

Comment 3 Milos Malik 2023-06-06 10:24:16 UTC

Please attach the pdns configuration file that you used when you found out that the SELinux profile is missing some items.

Thank you.

Comment 4 Jon Schewe 2023-06-06 17:45:36 UTC

Created attachment 1969341 [details]
pdns.conf file

Sanitized pdns.conf file attached.

Comment 5 Milos Malik 2023-06-07 08:24:28 UTC

A lot of SELinux denials similar to this one appears when the attached pdns.conf is used:
----
type=PROCTITLE msg=audit(06/07/2023 04:08:50.898:8027) : proctitle=/usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no 
type=SOCKADDR msg=audit(06/07/2023 04:08:50.898:8027) : saddr={ saddr_fam=inet laddr=0.0.0.0 lport=19284 } 
type=SYSCALL msg=audit(06/07/2023 04:08:50.898:8027) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0xf a1=0x7f0b8da9b4d0 a2=0x10 a3=0x7f0b90b9eac0 items=0 ppid=1 pid=11682 auid=unset uid=pdns gid=pdns euid=pdns suid=pdns fsuid=pdns egid=pdns sgid=pdns fsgid=pdns tty=(none) ses=unset comm=pdns/comm-main exe=/usr/sbin/pdns_server subj=system_u:system_r:pdns_t:s0 key=(null) 
type=AVC msg=audit(06/07/2023 04:08:50.898:8027) : avc:  denied  { name_bind } for  pid=11682 comm=pdns/comm-main src=19284 scontext=system_u:system_r:pdns_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0 
----

Of course, each of the SELinux denials has a different source port logged (src=...).

Comment 6 Milos Malik 2023-06-07 08:32:36 UTC

The following SELinux denial appears multiple times:
----
type=PROCTITLE msg=audit(06/07/2023 04:29:41.898:14174) : proctitle=/usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no 
type=PATH msg=audit(06/07/2023 04:29:41.898:14174) : item=0 name=/var/kerberos/krb5/user/991/client.keytab nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(06/07/2023 04:29:41.898:14174) : cwd=/ 
type=SYSCALL msg=audit(06/07/2023 04:29:41.898:14174) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x5594dec56860 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=15876 auid=unset uid=pdns gid=pdns euid=pdns suid=pdns fsuid=pdns egid=pdns sgid=pdns fsgid=pdns tty=(none) ses=unset comm=pdns_server exe=/usr/sbin/pdns_server subj=system_u:system_r:pdns_t:s0 key=(null) 
type=AVC msg=audit(06/07/2023 04:29:41.898:14174) : avc:  denied  { search } for  pid=15876 comm=pdns_server name=krb5 dev="vda1" ino=2236089 scontext=system_u:system_r:pdns_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0 
----

when the pdns.conf file contains the following lines:

gpgsql-host=localhost6
gpgsql-port=5432
gpgsql-dbname=basic
gpgsql-user=tester
gpgsql-password=secret

Comment 7 Milos Malik 2023-06-07 08:38:51 UTC

The following SELinux denial appears in permissive mode:
----
type=PROCTITLE msg=audit(06/07/2023 04:34:21.647:15582) : proctitle=/usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no 
type=PATH msg=audit(06/07/2023 04:34:21.647:15582) : item=0 name=/var/kerberos/krb5/user/991/client.keytab nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(06/07/2023 04:34:21.647:15582) : cwd=/ 
type=SYSCALL msg=audit(06/07/2023 04:34:21.647:15582) : arch=x86_64 syscall=openat success=no exit=ENOENT(No such file or directory) a0=AT_FDCWD a1=0x55f97b1e3860 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=16840 auid=unset uid=pdns gid=pdns euid=pdns suid=pdns fsuid=pdns egid=pdns sgid=pdns fsgid=pdns tty=(none) ses=unset comm=pdns_server exe=/usr/sbin/pdns_server subj=system_u:system_r:pdns_t:s0 key=(null) 
type=AVC msg=audit(06/07/2023 04:34:21.647:15582) : avc:  denied  { search } for  pid=16840 comm=pdns_server name=krb5 dev="vda1" ino=2236089 scontext=system_u:system_r:pdns_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1 
----

Comment 8 Nikola Knazekova 2023-08-07 14:47:51 UTC

PR: https://github.com/fedora-selinux/selinux-policy/pull/1819

Comment 16 Nikola Knazekova 2023-08-17 14:07:41 UTC

*** Bug 2227837 has been marked as a duplicate of this bug. ***

Comment 19 errata-xmlrpc 2023-11-07 08:52:15 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6617