1210250 – SELinux is preventing /usr/sbin/dnssec-triggerd from write access on the directory /etc.

Bug 1210250 - SELinux is preventing /usr/sbin/dnssec-triggerd from write access on the directory /etc.

Summary: SELinux is preventing /usr/sbin/dnssec-triggerd from write access on the dire...

Keywords:
Status:	CLOSED WORKSFORME
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	22
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	1200996 1215376 (view as bug list)
Depends On:
Blocks:	dnssec Default_Local_DNS_Resolver
TreeView+	depends on / blocked

Reported:	2015-04-09 09:44 UTC by Tomáš Hozza
Modified:	2015-07-20 08:11 UTC (History)
CC List:	9 users (show)
Fixed In Version:	selinux-policy-3.13.1-122.fc22
Clone Of:
Environment:
Last Closed:	2015-07-20 08:11:16 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Tomáš Hozza 2015-04-09 09:44:30 UTC

Description of problem:
SELinux is preventing /usr/sbin/dnssec-triggerd from write access on the directory /etc.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow dnssec-triggerd to have write access on the etc directory
Then you need to change the label on /etc
Do
# semanage fcontext -a -t FILE_TYPE '/etc'
where FILE_TYPE is one of the following: dnssec_trigger_var_run_t, net_conf_t, var_run_t. 
Then execute: 
restorecon -v '/etc'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that dnssec-triggerd should be allowed write access on the etc directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep dnssec-triggerd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:dnssec_trigger_t:s0
Target Context                system_u:object_r:etc_t:s0
Target Objects                /etc [ dir ]
Source                        dnssec-triggerd
Source Path                   /usr/sbin/dnssec-triggerd
Port                          <Unknown>
Host                          thozza-pc
Source RPM Packages           dnssec-trigger-0.12-19.fc21.x86_64
Target RPM Packages           filesystem-3.2-28.fc21.x86_64
Policy RPM                    selinux-policy-3.13.1-105.9.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     thozza-pc
Platform                      Linux thozza-pc 3.19.3-200.fc21.x86_64 #1 SMP Thu
                              Mar 26 21:39:42 UTC 2015 x86_64 x86_64
Alert Count                   165
First Seen                    2015-02-16 08:57:01 CET
Last Seen                     2015-04-09 08:51:44 CEST
Local ID                      5f809d20-9dc6-4edc-81f3-6199f4afba16

Raw Audit Messages
type=AVC msg=audit(1428562304.184:412): avc:  denied  { write } for  pid=1363 comm="dnssec-triggerd" name="etc" dev="dm-0" ino=3145729 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0


type=SYSCALL msg=audit(1428562304.184:412): arch=x86_64 syscall=open success=no exit=EACCES a0=7fadc6fc2480 a1=241 a2=1b6 a3=241 items=0 ppid=1 pid=1363 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=dnssec-triggerd exe=/usr/sbin/dnssec-triggerd subj=system_u:system_r:dnssec_trigger_t:s0 key=(null)

Hash: dnssec-triggerd,dnssec_trigger_t,etc_t,dir,write


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-105.9.fc21.noarch

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:
My system ends up without /etc/resolv.conf because dnssec-triggerd is not able to write it into /etc. libvirt dnsmasq instance is not able to provide DNS service to VMs as a consequence of this issue.

Expected results:
SELinux should finally allow dnssec-trigger to write /etc/resolv.conf!!!

Additional info:

Comment 1 Miroslav Grepl 2015-04-09 15:27:49 UTC

Tomas,
could you collect AVC msgs also from permissive mode?

Comment 2 Lukas Vrabec 2015-04-09 19:55:09 UTC

commit 06005bc0ac9370f93ba99e44d478e9930f3896c1
Author: Lukas Vrabec <lvrabec>
Date:   Thu Apr 9 21:06:09 2015 +0200

    Allow dnssec_trigger_t to stream connect to networkmanager.

commit 2c3a0d6d02474851e2ffd711ae8fd5176003624e
Author: Lukas Vrabec <lvrabec>
Date:   Thu Apr 9 19:35:47 2015 +0200

    Allow dnssec_trigger_t to create resolv files labeled as net_conf_t

commit cfb2997e16f7106c916c903d4aac2aa9102ba7bf
Author: Lukas Vrabec <lvrabec>
Date:   Thu Apr 9 17:57:43 2015 +0200

    Label new dnssec-trigger files.

Comment 3 Lukas Vrabec 2015-04-09 20:01:34 UTC

Tomas, 
There is one more AVC. 
type=AVC msg=audit(1428608873.655:903): avc:  denied  { read } for  pid=31681 comm="dnssec-trigger-" name="/" dev="tmpfs" ino=14649 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1

Could I dontaudit this? 

Thank you.

Comment 4 Miroslav Grepl 2015-04-10 09:30:57 UTC

It comes from dnsseec-trigger-script

..
..
..
stat("/etc/utmp", 0x7ffd9f0e07e0)       = -1 ENOENT (No such file or directory)
stat("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=600, ...}) = 0
open("/tmp", O_RDONLY)                  = 7
read(7, 0x7ffd9f0e0870, 8192)           = -1 EISDIR (Is a directory)
close(7)                                = 0
stat("/var/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=4096, ...}) = 0
open("/var/tmp", O_RDONLY)              = 7
read(7, 0x7ffd9f0e0870, 8192)           = -1 EISDIR (Is a directory)
close(7)                                = 0
stat("/usr/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=4096, ...}) = 0
open("/usr/tmp", O_RDONLY)

Comment 7 Tomáš Hozza 2015-07-14 09:11:42 UTC

(In reply to Lukas Vrabec from comment #3)
> Tomas, 
> There is one more AVC. 
> type=AVC msg=audit(1428608873.655:903): avc:  denied  { read } for 
> pid=31681 comm="dnssec-trigger-" name="/" dev="tmpfs" ino=14649
> scontext=system_u:system_r:dnssec_trigger_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1
> 
> Could I dontaudit this? 
> 
> Thank you.

I think it is not needed. With the recent changes in dnssec-trigger-script and with selinux-policy-3.13.1-128.4.fc22.noarch I'm not seeing any issues related to this.

Can we then take this bug as fixed and close it?

Comment 8 Tomáš Hozza 2015-07-15 13:18:51 UTC

*** Bug 1200996 has been marked as a duplicate of this bug. ***

Comment 9 Tomáš Hozza 2015-07-15 13:24:50 UTC

*** Bug 1215376 has been marked as a duplicate of this bug. ***

Comment 10 Lukas Vrabec 2015-07-20 08:11:16 UTC

yes. 
Closing for now.

Note You need to log in before you can comment on or make changes to this bug.