1240193 – /etc/resolv.conf relabel issue

Bug 1240193 - /etc/resolv.conf relabel issue

Summary: /etc/resolv.conf relabel issue

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	22
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	Default_Local_DNS_Resolver
TreeView+	depends on / blocked

Reported:	2015-07-06 07:40 UTC by Matthias Runge
Modified:	2015-07-30 13:54 UTC (History)
CC List:	11 users (show)
Fixed In Version:	selinux-policy-3.13.1-128.8.fc22
Clone Of:
Environment:
Last Closed:	2015-07-30 13:54:48 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Matthias Runge 2015-07-06 07:40:50 UTC

Description of problem:

I followed https://fedoraproject.org/wiki/Changes/Default_Local_DNS_Resolver#Option_1_-_Use_experimental_implementation_available_in_Fedora_20_and_newer

and got:

SELinux is preventing dnssec-trigger- from relabelfrom access on the file /etc/resolv.conf.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that dnssec-trigger- should be allowed relabelfrom access on the resolv.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep dnssec-trigger- /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:dnssec_trigger_t:s0
Target Context                system_u:object_r:net_conf_t:s0
Target Objects                /etc/resolv.conf [ file ]
Source                        dnssec-trigger-
Source Path                   dnssec-trigger-
Port                          <Unknown>
Host                          sofja.berg.ol
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-128.4.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     sofja.berg.ol
Platform                      Linux sofja.berg.ol 4.0.7-300.fc22.x86_64 #1 SMP
                              Mon Jun 29 22:15:06 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-07-06 09:29:29 CEST
Last Seen                     2015-07-06 09:29:29 CEST
Local ID                      e728a93c-aff1-456e-bd9b-7fe80ec571ec

Raw Audit Messages
type=AVC msg=audit(1436167769.30:593): avc:  denied  { relabelfrom } for  pid=4802 comm="dnssec-trigger-" name="resolv.conf" dev="dm-2" ino=1311278 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=0

Comment 1 Matthias Runge 2015-07-06 07:41:46 UTC

dnssec-trigger-0.12-20.fc22.x86_64
selinux-policy-3.13.1-128.4.fc22.noarch

Comment 2 Tomáš Hozza 2015-07-07 08:50:43 UTC

dnssec-trigger creates new resolv.conf with different name and then renames it to cope with possible issues if the resolv.conf is a symlink. I think that SELinux should allow dnssec-trigger to do that.

Also the SELinux reports in general could be more verbose, since most of the time I'm having a hard time understanding what actually happened.

Moving to selinux-policy.

Comment 3 Lukas Vrabec 2015-07-07 20:04:43 UTC

Hi Tomas, 
Could you reproduce this issue in permissive mode? 
Thank you!

Comment 4 Tomáš Hozza 2015-07-08 10:54:02 UTC

(In reply to Lukas Vrabec from comment #3)
> Hi Tomas, 
> Could you reproduce this issue in permissive mode? 
> Thank you!

I'm not sure if I'll be able to. Setting NEEDINFO on the reporter...

Comment 5 Lukas Vrabec 2015-07-08 11:36:39 UTC

OK, I need all AVCS to fix in in one step.

Comment 6 Matthias Runge 2015-07-09 06:00:09 UTC

Yesterday, I relabeled my file system; system install was a fresh f22 install. I can not reproduce the issue any more.

Sorry for the noise.

Comment 7 Matthias Runge 2015-07-13 06:14:14 UTC

That's what I got in /var/log/audit/audit.log
with selinux permissive.

type=AVC msg=audit(1436767937.298:612): avc:  denied  { relabelfrom } for  pid=4215 comm="dnssec-trigger-" name="resolv.conf.backup" dev="tmpfs" ino=62737 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:dnssec_trigger_var_run_t:s0 tclass=file permissive=1

Comment 8 Tomáš Hozza 2015-07-13 11:02:50 UTC

(In reply to Matthias Runge from comment #7)
> That's what I got in /var/log/audit/audit.log
> with selinux permissive.
> 
> type=AVC msg=audit(1436767937.298:612): avc:  denied  { relabelfrom } for 
> pid=4215 comm="dnssec-trigger-" name="resolv.conf.backup" dev="tmpfs"
> ino=62737 scontext=system_u:system_r:dnssec_trigger_t:s0
> tcontext=system_u:object_r:dnssec_trigger_var_run_t:s0 tclass=file
> permissive=1

dnssec-trigger when started, it backs up the current /etc/resolv.conf before rewriting it. When restarted or stopped it tries to restore the old resolv.conf from /var/run/dnssec-trigger/resolv.conf.backup.

This looks like the situation I just described ~ restoring the resolv.conf

Comment 11 Lukas Vrabec 2015-07-13 11:33:34 UTC

commit 8d6bc7574ab1b82892e98a425e4f5e64bad28909
Author: Lukas Vrabec <lvrabec>
Date:   Mon Jul 13 13:23:16 2015 +0200

    Allow dnssec_trigger_t relabelfrom dnssec_trigger_var_run_t files.

Comment 12 Miroslav Grepl 2015-07-14 09:05:53 UTC

Tomas,
could you try to reproduce it with

#setenforce 1
#setenforce 0

re-test it and

# ausearch -m avc -ts recent

Comment 13 Matthias Runge 2015-07-14 09:49:10 UTC

After 
systemctl restart unbound, I got:

ausearch -m avc -ts recent
----
time->Tue Jul 14 11:48:12 2015
type=AVC msg=audit(1436867292.109:725): avc:  denied  { relabelfrom } for  pid=16775 comm="dnssec-trigger-" name="resolv.conf" dev="dm-2" ino=1311278 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1
----
time->Tue Jul 14 11:48:12 2015
type=AVC msg=audit(1436867292.109:726): avc:  denied  { relabelto } for  pid=16775 comm="dnssec-trigger-" name="resolv.conf" dev="dm-2" ino=1311278 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:dnssec_trigger_var_run_t:s0 tclass=file permissive=1
----
time->Tue Jul 14 11:48:15 2015
type=AVC msg=audit(1436867295.505:732): avc:  denied  { relabelfrom } for  pid=16990 comm="dnssec-trigger-" name="resolv.conf.backup" dev="tmpfs" ino=162817 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:dnssec_trigger_var_run_t:s0 tclass=file permissive=1
----
time->Tue Jul 14 11:48:15 2015
type=AVC msg=audit(1436867295.505:733): avc:  denied  { relabelto } for  pid=16990 comm="dnssec-trigger-" name="resolv.conf.backup" dev="tmpfs" ino=162817 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:dnssec_trigger_var_run_t:s0 tclass=file permissive=1

Comment 14 Fedora Update System 2015-07-21 15:46:13 UTC

selinux-policy-3.13.1-128.8.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-128.8.fc22

Comment 15 Fedora Update System 2015-07-29 01:45:29 UTC

Package selinux-policy-3.13.1-128.8.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-128.8.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-11989/selinux-policy-3.13.1-128.8.fc22
then log in and leave karma (feedback).

Comment 16 Fedora Update System 2015-07-30 13:54:48 UTC

selinux-policy-3.13.1-128.8.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.