1213573 – SELinux and dnssec-triggerd

Bug 1213573 - SELinux and dnssec-triggerd

Summary: SELinux and dnssec-triggerd

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	23
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	Default_Local_DNS_Resolver
TreeView+	depends on / blocked

Reported:	2015-04-20 20:01 UTC by Petr Lautrbach
Modified:	2015-07-15 14:15 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.13.1-126.fc23
Clone Of:
Environment:
Last Closed:	2015-07-15 13:22:53 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Petr Lautrbach 2015-04-20 20:01:56 UTC

Description of problem:

----
time->Mon Apr 20 21:31:06 2015
type=PROCTITLE msg=audit(1429558266.551:1381): proctitle=636861747472002D69002F6574632F7265736F6C762E636F6E66
type=SYSCALL msg=audit(1429558266.551:1381): arch=c000003e syscall=16 success=yes exit=0 a0=3 a1=40086602 a2=7ffe014bd13c a3=7f8aa9c488f0 items=0 ppid=23116 pid=23143 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chattr" exe="/usr/bin/chattr" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1429558266.551:1381): avc:  denied  { setattr } for  pid=23143 comm="chattr" path="/etc/resolv.conf" dev="dm-2" ino=2753989 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1
----
time->Mon Apr 20 21:31:06 2015
type=PROCTITLE msg=audit(1429558266.552:1382): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F6C6962657865632F646E737365632D747269676765722D736372697074002D2D70726570617265
type=PATH msg=audit(1429558266.552:1382): item=1 name="/etc/resolv.conf" inode=2753989 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0 nametype=DELETE
type=PATH msg=audit(1429558266.552:1382): item=0 name="/etc/" inode=2752513 dev=fd:02 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT
type=CWD msg=audit(1429558266.552:1382):  cwd="/"
type=SYSCALL msg=audit(1429558266.552:1382): arch=c000003e syscall=87 success=yes exit=0 a0=7f9eaa8c57f8 a1=bf a2=7f9eb8a0e380 a3=7fffb63f1d90 items=2 ppid=1 pid=23116 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dnssec-trigger-" exe="/usr/bin/python3.4" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1429558266.552:1382): avc:  denied  { unlink } for  pid=23116 comm="dnssec-trigger-" name="resolv.conf" dev="dm-2" ino=2753989 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1
----
time->Mon Apr 20 21:31:06 2015
type=PROCTITLE msg=audit(1429558266.673:1383): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F6C6962657865632F646E737365632D747269676765722D736372697074002D2D757064617465
type=PATH msg=audit(1429558266.673:1383): item=1 name="/var/run/dnssec-trigger/lock" inode=325230 dev=00:13 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:dnssec_trigger_var_run_t:s0 nametype=NORMAL
type=PATH msg=audit(1429558266.673:1383): item=0 name="/var/run/dnssec-trigger/" inode=320242 dev=00:13 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:dnssec_trigger_var_run_t:s0 nametype=PARENT
type=CWD msg=audit(1429558266.673:1383):  cwd="/"
type=SYSCALL msg=audit(1429558266.673:1383): arch=c000003e syscall=2 success=yes exit=7 a0=7f4ac408de50 a1=80041 a2=180 a3=7ffc39466600 items=2 ppid=1 pid=23148 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dnssec-trigger-" exe="/usr/bin/python3.4" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1429558266.673:1383): avc:  denied  { write } for  pid=23148 comm="dnssec-trigger-" name="lock" dev="tmpfs" ino=325230 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:dnssec_trigger_var_run_t:s0 tclass=file permissive=1
----
time->Mon Apr 20 21:31:06 2015
type=PROCTITLE msg=audit(1429558266.925:1384): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F6C6962657865632F646E737365632D747269676765722D736372697074002D2D757064617465
type=PATH msg=audit(1429558266.925:1384): item=1 name="/var/run/dnssec-trigger/servers.tmp" inode=359201 dev=00:13 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:dnssec_trigger_var_run_t:s0 nametype=CREATE
type=PATH msg=audit(1429558266.925:1384): item=0 name="/var/run/dnssec-trigger/" inode=320242 dev=00:13 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:dnssec_trigger_var_run_t:s0 nametype=PARENT
type=CWD msg=audit(1429558266.925:1384):  cwd="/"
type=SYSCALL msg=audit(1429558266.925:1384): arch=c000003e syscall=2 success=yes exit=8 a0=7f4ac40970e0 a1=80241 a2=1b6 a3=0 items=2 ppid=1 pid=23148 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dnssec-trigger-" exe="/usr/bin/python3.4" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1429558266.925:1384): avc:  denied  { create } for  pid=23148 comm="dnssec-trigger-" name="servers.tmp" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:dnssec_trigger_var_run_t:s0 tclass=file permissive=1
----
time->Mon Apr 20 21:31:06 2015
type=PROCTITLE msg=audit(1429558266.925:1385): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F6C6962657865632F646E737365632D747269676765722D736372697074002D2D757064617465
type=PATH msg=audit(1429558266.925:1385): item=4 name="/var/run/dnssec-trigger/servers" inode=359201 dev=00:13 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:dnssec_trigger_var_run_t:s0 nametype=CREATE
type=PATH msg=audit(1429558266.925:1385): item=3 name="/var/run/dnssec-trigger/servers" inode=358542 dev=00:13 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:dnssec_trigger_var_run_t:s0 nametype=DELETE
type=PATH msg=audit(1429558266.925:1385): item=2 name="/var/run/dnssec-trigger/servers.tmp" inode=359201 dev=00:13 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:dnssec_trigger_var_run_t:s0 nametype=DELETE
type=PATH msg=audit(1429558266.925:1385): item=1 name="/var/run/dnssec-trigger/" inode=320242 dev=00:13 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:dnssec_trigger_var_run_t:s0 nametype=PARENT
type=PATH msg=audit(1429558266.925:1385): item=0 name="/var/run/dnssec-trigger/" inode=320242 dev=00:13 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:dnssec_trigger_var_run_t:s0 nametype=PARENT
type=CWD msg=audit(1429558266.925:1385):  cwd="/"
type=SYSCALL msg=audit(1429558266.925:1385): arch=c000003e syscall=82 success=yes exit=0 a0=7f4ac40970e0 a1=7f4ac40956d0 a2=7f4ad21d7380 a3=7ffc39466830 items=5 ppid=1 pid=23148 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dnssec-trigger-" exe="/usr/bin/python3.4" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1429558266.925:1385): avc:  denied  { rename } for  pid=23148 comm="dnssec-trigger-" name="servers.tmp" dev="tmpfs" ino=359201 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:dnssec_trigger_var_run_t:s0 tclass=file permissive=1

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-124.fc23.noarch
dnssec-trigger-0.12-20.fc23.x86_64


Steps to Reproduce:
1. connect to some vpn
2. systemctl start dnssec-triggerd.service
3.

Comment 1 Lukas Vrabec 2015-04-21 09:08:09 UTC

commit 6f9c23cf063a8fb99dc8ff1b3cdf97833d16c3cc
Author: Lukas Vrabec <lvrabec>
Date:   Tue Apr 21 10:49:30 2015 +0200

    Allow dnssec-trigger to send sigchld to networkmanager

commit 7a76e4fc98daffd547fc706eb392cf3d02d8ebb1
Author: Lukas Vrabec <lvrabec>
Date:   Tue Apr 21 10:47:20 2015 +0200

    add interface networkmanager_sigchld

commit f1a97f5b374bcec01dd31fdb70ddfd72855c645c
Author: Lukas Vrabec <lvrabec>
Date:   Tue Apr 21 10:00:13 2015 +0200

    Add dnssec-trigger unit file
    Label dnssec-trigger script in libexec

Comment 2 Tomáš Hozza 2015-07-15 13:22:53 UTC

This change seems to be already in F22 stable

Comment 3 Jan Kurik 2015-07-15 14:15:35 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle.
Changing version to '23'.

(As we did not run this process for some time, it could affect also pre-Fedora 23 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23

Note You need to log in before you can comment on or make changes to this bug.