Bug 2227837
| Summary: | SELinux prevents the pdns service from running when master=yes is configured | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | lejeczek <peljasz> |
| Component: | selinux-policy | Assignee: | Nikola Knazekova <nknazeko> |
| Status: | CLOSED DUPLICATE | QA Contact: | Milos Malik <mmalik> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 9.2 | CC: | lvrabec, mmalik, mstevens, ruben, sander, zpytela |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | Flags: | nknazeko:
needinfo?
(peljasz) |
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-08-17 14:07:41 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
lejeczek
2023-07-31 15:55:40 UTC
Hi, please reproduce the issue in permissive mode with full auditing enabled and attach SELinux denials: Permissive mode: # setenforce 0 Full audit: 1) Open the /etc/audit/rules.d/audit.rules file in an editor. 2) Remove the following line if it exists: -a task,never 3) Add the following line to the end of the file: -w /etc/shadow -p w 4) Restart the audit daemon: # service auditd restart 5) Re-run your scenario. 6) Collect AVC denials: # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today A lot of SELinux denials appear in enforcing mode:
----
type=PROCTITLE msg=audit(08/10/2023 04:29:12.542:5938) : proctitle=/usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no
type=SOCKADDR msg=audit(08/10/2023 04:29:12.542:5938) : saddr={ saddr_fam=inet laddr=0.0.0.0 lport=17055 }
type=SYSCALL msg=audit(08/10/2023 04:29:12.542:5938) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0x12 a1=0x7f24affa04d0 a2=0x10 a3=0x7f24aff9fa60 items=0 ppid=1 pid=10202 auid=unset uid=pdns gid=pdns euid=pdns suid=pdns fsuid=pdns egid=pdns sgid=pdns fsgid=pdns tty=(none) ses=unset comm=pdns/comm-main exe=/usr/sbin/pdns_server subj=system_u:system_r:pdns_t:s0 key=(null)
type=AVC msg=audit(08/10/2023 04:29:12.542:5938) : avc: denied { name_bind } for pid=10202 comm=pdns/comm-main src=17055 scontext=system_u:system_r:pdns_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0
----
Each of them has a different source port (src=...)
# ausearch -m avc -m user_avc -i | audit2allow
#!!!! This avc can be allowed using the boolean 'nis_enabled'
allow pdns_t unreserved_port_t:udp_socket name_bind;
After enabling the nis_enabled boolean, the pdns service starts and runs successfully.
The following error message does not appear anymore:
pdns_server[...]: Exiting because communicator thread died with error: Resolver binding to local UDP socket on '0.0.0.0': Permission denied
*** This bug has been marked as a duplicate of bug 2047945 *** |