1195752 – dnssec-triggerd is not allowed to write to /etc

Bug 1195752 - dnssec-triggerd is not allowed to write to /etc

Summary: dnssec-triggerd is not allowed to write to /etc

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	21
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	Default_Local_DNS_Resolver
TreeView+	depends on / blocked

Reported:	2015-02-24 13:52 UTC by Tomáš Hozza
Modified:	2015-03-21 04:50 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-3.13.1-105.6.fc21
Clone Of:
Environment:
Last Closed:	2015-03-21 04:50:21 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Tomáš Hozza 2015-02-24 13:52:16 UTC

Description of problem:
SELinux policy does not allow dnssec-triggerd to write to /etc, thus dnssec-triggerd is not able to write /etc/resolv.conf and my system ends up without /etc/resolv.conf completely.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-105.3.fc21.noarch
dnssec-trigger-0.12-17.fc22.x86_64

How reproducible:
always

Steps to Reproduce:
1.
2.
3.

Actual results:
Feb 24 09:02:46 thozza-pc dnssec-triggerd[1587]: [1587] notice: probe done: DNSSEC to auth direct
Feb 24 09:02:46 thozza-pc dnssec-triggerd[1587]: ok
Feb 24 09:02:46 thozza-pc dnssec-triggerd[1587]: ok
Feb 24 09:02:46 thozza-pc dnssec-triggerd[1587]: chattr: No such file or directory while trying to stat /etc/resolv.conf
Feb 24 09:02:46 thozza-pc dnssec-triggerd[1587]: [1587] error: chmod(/etc/resolv.conf) failed: No such file or directory
Feb 24 09:02:46 thozza-pc dnssec-triggerd[1587]: [1587] error: cannot open /etc/resolv.conf: Permission denied
Feb 24 09:02:48 thozza-pc python[13665]: SELinux is preventing /usr/sbin/dnssec-triggerd from write access on the directory /etc.
                                         
                                         *****  Plugin catchall_labels (83.8 confidence) suggests   *******************
                                         
                                         If you want to allow dnssec-triggerd to have write access on the etc directory
                                         Then you need to change the label on /etc
                                         Do
                                         # semanage fcontext -a -t FILE_TYPE '/etc'
                                         where FILE_TYPE is one of the following: dnssec_trigger_var_run_t, net_conf_t, var_run_t. 
                                         Then execute: 
                                         restorecon -v '/etc'
                                         
                                         
                                         *****  Plugin catchall (17.1 confidence) suggests   **************************
                                         
                                         If you believe that dnssec-triggerd should be allowed write access on the etc directory by default.
                                         Then you should report this as a bug.
                                         You can generate a local policy module to allow this access.
                                         Do
                                         allow this access for now by executing:
                                         # grep dnssec-triggerd /var/log/audit/audit.log | audit2allow -M mypol
                                         # semodule -i mypol.pp


Expected results:
SELinux NOT preventing dnssec-triggerd to write to /etc/resolv.conf!

Additional info:

Comment 1 Fedora Update System 2015-02-25 20:13:00 UTC

selinux-policy-3.13.1-105.5.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.5.fc21

Comment 2 Fedora Update System 2015-02-27 09:25:13 UTC

Package selinux-policy-3.13.1-105.5.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.5.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-2733/selinux-policy-3.13.1-105.5.fc21
then log in and leave karma (feedback).

Comment 3 Fedora Update System 2015-03-06 22:28:17 UTC

selinux-policy-3.13.1-105.6.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.6.fc21

Comment 4 Charles R. Anderson 2015-03-11 19:50:16 UTC

selinux-policy-3.13.1-105.6.fc21.noarch does NOT fix the problem for me.

Comment 5 Miroslav Grepl 2015-03-12 12:31:48 UTC

Lukas,
I don't see fixes for dnssec-triggerd

Comment 6 Lukas Vrabec 2015-03-16 17:17:39 UTC

You are right, sorry for that.
Fixed.

Comment 7 Fedora Update System 2015-03-21 04:50:21 UTC

selinux-policy-3.13.1-105.6.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.