Bug 2209973
| Summary: | SELinux prevents nsd-* tools (executed by crond) from writing into /run/nsd/nsd.ctl socket | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Milos Malik <mmalik> |
| Component: | selinux-policy | Assignee: | Nobody <nobody> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 9.3 | CC: | lvrabec, mmalik, zpytela |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-38.1.16-1.el9 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-11-07 08:52:24 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Actual results (permissive mode):
----
type=PROCTITLE msg=audit(05/25/2023 07:24:02.055:1255) : proctitle=/usr/sbin/nsd-control status
type=PATH msg=audit(05/25/2023 07:24:02.055:1255) : item=0 name=/run/nsd/nsd.ctl inode=1153 dev=00:18 mode=socket,755 ouid=nsd ogid=nsd rdev=00:00 obj=system_u:object_r:nsd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(05/25/2023 07:24:02.055:1255) : cwd=/etc/nsd
type=SOCKADDR msg=audit(05/25/2023 07:24:02.055:1255) : saddr={ saddr_fam=local path=/run/nsd/nsd.ctl }
type=SYSCALL msg=audit(05/25/2023 07:24:02.055:1255) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x3 a1=0x7ffd11510880 a2=0x6e a3=0xfffffffffffffffc items=1 ppid=24479 pid=24491 auid=nsd uid=nsd gid=nsd euid=nsd suid=nsd fsuid=nsd egid=nsd sgid=nsd fsgid=nsd tty=(none) ses=98 comm=nsd-control exe=/usr/sbin/nsd-control subj=system_u:system_r:nsd_crond_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(05/25/2023 07:24:02.055:1255) : avc: denied { connectto } for pid=24491 comm=nsd-control path=/run/nsd/nsd.ctl scontext=system_u:system_r:nsd_crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:nsd_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(05/25/2023 07:24:02.055:1255) : avc: denied { write } for pid=24491 comm=nsd-control name=nsd.ctl dev="tmpfs" ino=1153 scontext=system_u:system_r:nsd_crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nsd_var_run_t:s0 tclass=sock_file permissive=1
----
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:6617 |
Description of problem: the following message appears in the systemd journal when any nsd-* program is executed as a cronjob. CROND[23753]: (root) CMDOUT (error: connect (/run/nsd/nsd.ctl): Permission denied) # matchpathcon /usr/sbin/nsd-* /usr/sbin/nsd-checkconf system_u:object_r:nsd_exec_t:s0 /usr/sbin/nsd-checkzone system_u:object_r:nsd_exec_t:s0 /usr/sbin/nsd-control system_u:object_r:nsd_exec_t:s0 /usr/sbin/nsd-control-setup system_u:object_r:nsd_exec_t:s0 # sesearch -c process -T | grep 'cron.*nsd_crond_t' type_transition crond_t nsd_exec_t:process nsd_crond_t; type_transition system_cronjob_t nsd_exec_t:process nsd_crond_t; # Version-Release number of selected component (if applicable): nsd-4.3.9-3.el9.x86_64 selinux-policy-38.1.12-1.el9.noarch selinux-policy-targeted-38.1.12-1.el9.noarch How reproducible: * always Steps to Reproduce: 1. get a RHEL-9.3 machine (targeted policy is active) 2. start the nsd service 3. add the following line into /etc/crontab file * * * * * nsd /usr/sbin/nsd-control status 4. restart the crond service 5. wait at least 1 minute 6. search for SELinux denials Actual results (enforcing mode): ---- type=PROCTITLE msg=audit(05/25/2023 07:23:01.953:1237) : proctitle=/usr/sbin/nsd-control status type=PATH msg=audit(05/25/2023 07:23:01.953:1237) : item=0 name=/run/nsd/nsd.ctl inode=1153 dev=00:18 mode=socket,755 ouid=nsd ogid=nsd rdev=00:00 obj=system_u:object_r:nsd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(05/25/2023 07:23:01.953:1237) : cwd=/etc/nsd type=SOCKADDR msg=audit(05/25/2023 07:23:01.953:1237) : saddr={ saddr_fam=local path=/run/nsd/nsd.ctl } type=SYSCALL msg=audit(05/25/2023 07:23:01.953:1237) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x3 a1=0x7ffc3b2cfdc0 a2=0x6e a3=0xfffffffffffffffc items=1 ppid=24462 pid=24474 auid=nsd uid=nsd gid=nsd euid=nsd suid=nsd fsuid=nsd egid=nsd sgid=nsd fsgid=nsd tty=(none) ses=96 comm=nsd-control exe=/usr/sbin/nsd-control subj=system_u:system_r:nsd_crond_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(05/25/2023 07:23:01.953:1237) : avc: denied { write } for pid=24474 comm=nsd-control name=nsd.ctl dev="tmpfs" ino=1153 scontext=system_u:system_r:nsd_crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nsd_var_run_t:s0 tclass=sock_file permissive=0 ---- Expected results: * no SELinux denials Additional info: * the nsd package comes from EPEL