Bug 1293140 - SELinux policy changes to make NSD4 work
SELinux policy changes to make NSD4 work
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.2
All Linux
medium Severity medium
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
:
: 1302951 (view as bug list)
Depends On:
Blocks: 1311294
  Show dependency treegraph
 
Reported: 2015-12-20 11:02 EST by Fabio Alessandro Locati
Modified: 2016-11-03 22:26 EDT (History)
12 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-69.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-11-03 22:26:28 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch to add necessary changes for nsd-4.x (2.89 KB, patch)
2015-12-27 04:36 EST, Tuomo Soini
no flags Details | Diff

  None (edit)
Description Fabio Alessandro Locati 2015-12-20 11:02:08 EST
Description of problem:
NSD4 (http://koji.fedoraproject.org/koji/buildinfo?buildID=706713) requires some changes to selinux-policy.

To make NSD4 work properly, I've executed the following commands:


chcon -t nsd_exec_t /sbin/nsd-checkconf
chcon -t nsd_exec_t /sbin/nsd-checkzone
chcon -t nsd_exec_t /sbin/nsd-control  
chcon -t nsd_exec_t /sbin/nsd-control-setup


and created (thanks to audit2policy) the following policy:


module mypol 1.0;

require {
	type tmp_t;
	type nsd_t;
	class capability net_admin;
	class dir { write create add_name };
	class file { write create open };
}

#============= nsd_t ==============
allow nsd_t self:capability net_admin;
allow nsd_t tmp_t:dir { write create add_name };
allow nsd_t tmp_t:file { write create open };


with those changes, it works
Comment 2 Tuomo Soini 2015-12-27 04:33:51 EST
These avc's you list are not all because of nsd4 package problems (nsd-control not enabled).

For nsd-control I added following:

b/policy/modules/kernel/corenetwork.te.in

 network_port(neutron, tcp, 8775, s0, tcp,9696,s0, tcp,9697,s0)
+network_port(nsd_control, tcp,8952,s0)
 network_port(radacct, udp,1646,s0, tcp,1646,s0, tcp,1813,s0, udp,1813,s0)
Comment 3 Tuomo Soini 2015-12-27 04:36 EST
Created attachment 1109788 [details]
Patch to add necessary changes for nsd-4.x
Comment 4 Fabio Alessandro Locati 2015-12-27 05:21:30 EST
I can confirm it. I've patched just two days ago to enable the nsd_control port
Comment 5 Fabio Alessandro Locati 2015-12-27 05:23:35 EST
PS: Probably all files .zone in /etc/nsd should be considered zone files
Comment 6 Tuomo Soini 2016-01-04 12:04:24 EST
Did my patch and copy-paste from cornetwork.te.in change include everything necessary for adding nsd-4.x support?
Comment 7 Milos Malik 2016-01-29 02:12:13 EST
Following lines are present in /etc/nsd/nsd.conf file:

	# log messages to file. Default to stderr and syslog (with
	# logfile: "/var/log/nsd.log"
	# statistics are produced every number of seconds. Prints to log.
	# log timestamp in ascii (y-m-d h:m:s.msec), yes is default.
	# log-time-ascii: yes

After uncommenting of the "logfile:" line, the automated TC triggers yet another SELinux denial in enforcing mode:
----
type=PATH msg=audit(01/29/2016 08:04:25.419:215) : item=1 name=/var/log/nsd.log objtype=CREATE 
type=PATH msg=audit(01/29/2016 08:04:25.419:215) : item=0 name=/var/log/ inode=16777373 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_log_t:s0 objtype=PARENT 
type=CWD msg=audit(01/29/2016 08:04:25.419:215) :  cwd=/etc/nsd 
type=SYSCALL msg=audit(01/29/2016 08:04:25.419:215) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7f8a132985c8 a1=O_WRONLY|O_CREAT|O_APPEND a2=0666 a3=0x24 items=2 ppid=1 pid=13538 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=nsd exe=/usr/sbin/nsd subj=system_u:system_r:nsd_t:s0 key=(null) 
type=AVC msg=audit(01/29/2016 08:04:25.419:215) : avc:  denied  { write } for  pid=13538 comm=nsd name=log dev="vda2" ino=16777373 scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir 
----

It happens because selinux-policy does not define a type for nsd log files:

# seinfo -t | grep ' nsd'
   nsd_var_run_t
   nsd_exec_t
   nsd_zone_t
   nsd_crond_t
   nsd_conf_t
   nsd_t
# semanage fcontext -l | grep log/nsd
#
Comment 8 Milos Malik 2016-01-29 02:15:38 EST
SELinux denials caught in permissive mode when repeating what's described in comment#7:
----
time->Fri Jan 29 08:12:39 2016
type=PATH msg=audit(1454051559.334:275): item=1 name="/var/log/nsd.log" inode=18361660 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_log_t:s0 objtype=CREATE
type=PATH msg=audit(1454051559.334:275): item=0 name="/var/log/" inode=16777373 dev=fd:02 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_log_t:s0 objtype=PARENT
type=CWD msg=audit(1454051559.334:275):  cwd="/etc/nsd"
type=SYSCALL msg=audit(1454051559.334:275): arch=c000003e syscall=2 success=yes exit=3 a0=7f94005105c8 a1=441 a2=1b6 a3=24 items=2 ppid=1 pid=27604 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nsd" exe="/usr/sbin/nsd" subj=system_u:system_r:nsd_t:s0 key=(null)
type=AVC msg=audit(1454051559.334:275): avc:  denied  { open } for  pid=27604 comm="nsd" path="/var/log/nsd.log" dev="vda2" ino=18361660 scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1454051559.334:275): avc:  denied  { create } for  pid=27604 comm="nsd" name="nsd.log" scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1454051559.334:275): avc:  denied  { add_name } for  pid=27604 comm="nsd" name="nsd.log" scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
type=AVC msg=audit(1454051559.334:275): avc:  denied  { write } for  pid=27604 comm="nsd" name="log" dev="vda2" ino=16777373 scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
----
time->Fri Jan 29 08:12:39 2016
type=PATH msg=audit(1454051559.334:276): item=0 name="/var/log/nsd.log" inode=18361660 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_log_t:s0 objtype=NORMAL
type=CWD msg=audit(1454051559.334:276):  cwd="/etc/nsd"
type=SYSCALL msg=audit(1454051559.334:276): arch=c000003e syscall=92 success=yes exit=0 a0=7f94005105c8 a1=383 a2=376 a3=1 items=1 ppid=1 pid=27604 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nsd" exe="/usr/sbin/nsd" subj=system_u:system_r:nsd_t:s0 key=(null)
type=AVC msg=audit(1454051559.334:276): avc:  denied  { setattr } for  pid=27604 comm="nsd" name="nsd.log" dev="vda2" ino=18361660 scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
----
Comment 9 Tuomo Soini 2016-01-29 02:42:48 EST
As normal, all combinations were not tested. I don't use log to file so I haven't hit that one. My fixes were to get nsd-4.x working with out of the box config.
Comment 10 Mike McCune 2016-03-28 18:59:28 EDT
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions
Comment 11 Dag-Erling Smørgrav 2016-04-07 05:18:49 EDT
The new package does not seem to be available on RHN yet.  When will it be published?  Until then, is there any way to download and install it manually?
Comment 15 Miroslav Grepl 2016-04-28 10:13:13 EDT
*** Bug 1302951 has been marked as a duplicate of this bug. ***
Comment 16 Dag-Erling Smørgrav 2016-09-27 10:27:08 EDT
Still waiting for word on when I can expect this fix to be published.  My RHEL7 systems have 3.13.1-60.9, with no mention of this bug in the changelog.
Comment 17 Milos Malik 2016-09-27 13:00:48 EDT
Your systems most likely have selinux-policy-3.13.1-60.el7_2.9 but the fix is present in selinux-policy-3.13.1-69.el7 which will be part of RHEL-7.3.
Comment 19 errata-xmlrpc 2016-11-03 22:26:28 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html

Note You need to log in before you can comment on or make changes to this bug.