Bug 2165438
| Summary: | Repeated AVC denials for dnsmasq socket create | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Robert Nichols <rnichols42> | ||||
| Component: | dnsmasq | Assignee: | Petr Menšík <pemensik> | ||||
| Status: | CLOSED WORKSFORME | QA Contact: | rhel-cs-infra-services-qe <rhel-cs-infra-services-qe> | ||||
| Severity: | low | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | CentOS Stream | CC: | bstinson, jwboyer | ||||
| Target Milestone: | rc | Keywords: | Triaged | ||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2023-04-22 09:19:11 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 1941039 [details]
Content of config files
For reasons that are not apparent, this problem has disappeared for me, so I guess this can be closed as not reproduceable. Sorry about the noise. FYI local. domain is reserved for multicast DNS use. You should avoid using it for DNS, some programs will not handle it correctly. home.arpa. is standardized name for local networks without own domain, that should be used instead. I am not sure what port or socket type creation is failing. It is unusual to have dnsmasq controlled by Network Manager to offer also DHCP, but I expect it should work. If you are able to reproduce it again, please reopen the bug. |
Description of problem: When running with dnsmasq configured as bootp and domain server, there are repeated AVC denials" "SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t." Despite these enforcing mode denials, dnsmasq appears to work properly, serving both bootp and dns requests, so it is not apparent whether this is a problem with dnsmasq or selinux-policy-targeted, and if the latter whether ALLOW or DONTAUDIT is the appropriate adjustment. Version-Release number of selected component (if applicable): dnsmasq-2.79-24.el8.x86_64, selinux-policy-targeted-3.14.3-114.el8.noarch How reproducible: always Steps to Reproduce: 1.On a system with both WAN and LAN interfaces, configure NetworkManager with "dns=dnsmasq" and dnsmasq listening on the LAN interface (config files attached). 2.Boot the system, and AVCs begin almost immediately, and seem to repeat whenever a dns request needs to be forwarded upstream. Actual results: Report from sealert: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t Expected results: No AVCs. Additional info: Source Context system_u:system_r:dnsmasq_t:s0 Target Context system_u:system_r:dnsmasq_t:s0 Target Objects Unknown [ socket ] Source dnsmasq Source Path /usr/sbin/dnsmasq Port <Unknown> Host omega-3x Source RPM Packages dnsmasq-2.79-24.el8.x86_64 Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.3-114.el8.noarch Local Policy RPM selinux-policy-targeted-3.14.3-114.el8.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name omega-3x Platform Linux omega-3x 4.18.0-448.el8.x86_64 #1 SMP Wed Jan 18 15:02:46 UTC 2023 x86_64 x86_64 Alert Count 6 First Seen 2023-01-28 14:50:41 CST Last Seen 2023-01-28 14:57:16 CST Local ID e32e9a86-6adb-4a61-b777-3f1e138449d7 Raw Audit Messages type=AVC msg=audit(1674939436.297:133): avc: denied { create } for pid=1716 comm="dnsmasq" scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:system_r:dnsmasq_t:s0 tclass=socket permissive=0 type=SYSCALL msg=audit(1674939436.297:133): arch=x86_64 syscall=socket success=no exit=EACCES a0=0 a1=2 a2=0 a3=0 items=0 ppid=1337 pid=1716 auid=4294967295 uid=984 gid=984 euid=984 suid=984 fsuid=984 egid=984 sgid=984 fsgid=984 tty=(none) ses=4294967295 comm=dnsmasq exe=/usr/sbin/dnsmasq subj=system_u:system_r:dnsmasq_t:s0 key=(null) Hash: dnsmasq,dnsmasq_t,dnsmasq_t,socket,create