RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1293140 - SELinux policy changes to make NSD4 work
Summary: SELinux policy changes to make NSD4 work
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.2
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
: 1302951 (view as bug list)
Depends On:
Blocks: 1311294
TreeView+ depends on / blocked
 
Reported: 2015-12-20 16:02 UTC by Fabio Alessandro Locati
Modified: 2019-12-16 05:12 UTC (History)
12 users (show)

Fixed In Version: selinux-policy-3.13.1-69.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-04 02:26:28 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Patch to add necessary changes for nsd-4.x (2.89 KB, patch)
2015-12-27 09:36 UTC, Tuomo Soini
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2283 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2016-11-03 13:36:25 UTC

Description Fabio Alessandro Locati 2015-12-20 16:02:08 UTC
Description of problem:
NSD4 (http://koji.fedoraproject.org/koji/buildinfo?buildID=706713) requires some changes to selinux-policy.

To make NSD4 work properly, I've executed the following commands:


chcon -t nsd_exec_t /sbin/nsd-checkconf
chcon -t nsd_exec_t /sbin/nsd-checkzone
chcon -t nsd_exec_t /sbin/nsd-control  
chcon -t nsd_exec_t /sbin/nsd-control-setup


and created (thanks to audit2policy) the following policy:


module mypol 1.0;

require {
	type tmp_t;
	type nsd_t;
	class capability net_admin;
	class dir { write create add_name };
	class file { write create open };
}

#============= nsd_t ==============
allow nsd_t self:capability net_admin;
allow nsd_t tmp_t:dir { write create add_name };
allow nsd_t tmp_t:file { write create open };


with those changes, it works

Comment 2 Tuomo Soini 2015-12-27 09:33:51 UTC
These avc's you list are not all because of nsd4 package problems (nsd-control not enabled).

For nsd-control I added following:

b/policy/modules/kernel/corenetwork.te.in

 network_port(neutron, tcp, 8775, s0, tcp,9696,s0, tcp,9697,s0)
+network_port(nsd_control, tcp,8952,s0)
 network_port(radacct, udp,1646,s0, tcp,1646,s0, tcp,1813,s0, udp,1813,s0)

Comment 3 Tuomo Soini 2015-12-27 09:36:56 UTC
Created attachment 1109788 [details]
Patch to add necessary changes for nsd-4.x

Comment 4 Fabio Alessandro Locati 2015-12-27 10:21:30 UTC
I can confirm it. I've patched just two days ago to enable the nsd_control port

Comment 5 Fabio Alessandro Locati 2015-12-27 10:23:35 UTC
PS: Probably all files .zone in /etc/nsd should be considered zone files

Comment 6 Tuomo Soini 2016-01-04 17:04:24 UTC
Did my patch and copy-paste from cornetwork.te.in change include everything necessary for adding nsd-4.x support?

Comment 7 Milos Malik 2016-01-29 07:12:13 UTC
Following lines are present in /etc/nsd/nsd.conf file:

	# log messages to file. Default to stderr and syslog (with
	# logfile: "/var/log/nsd.log"
	# statistics are produced every number of seconds. Prints to log.
	# log timestamp in ascii (y-m-d h:m:s.msec), yes is default.
	# log-time-ascii: yes

After uncommenting of the "logfile:" line, the automated TC triggers yet another SELinux denial in enforcing mode:
----
type=PATH msg=audit(01/29/2016 08:04:25.419:215) : item=1 name=/var/log/nsd.log objtype=CREATE 
type=PATH msg=audit(01/29/2016 08:04:25.419:215) : item=0 name=/var/log/ inode=16777373 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_log_t:s0 objtype=PARENT 
type=CWD msg=audit(01/29/2016 08:04:25.419:215) :  cwd=/etc/nsd 
type=SYSCALL msg=audit(01/29/2016 08:04:25.419:215) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7f8a132985c8 a1=O_WRONLY|O_CREAT|O_APPEND a2=0666 a3=0x24 items=2 ppid=1 pid=13538 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=nsd exe=/usr/sbin/nsd subj=system_u:system_r:nsd_t:s0 key=(null) 
type=AVC msg=audit(01/29/2016 08:04:25.419:215) : avc:  denied  { write } for  pid=13538 comm=nsd name=log dev="vda2" ino=16777373 scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir 
----

It happens because selinux-policy does not define a type for nsd log files:

# seinfo -t | grep ' nsd'
   nsd_var_run_t
   nsd_exec_t
   nsd_zone_t
   nsd_crond_t
   nsd_conf_t
   nsd_t
# semanage fcontext -l | grep log/nsd
#

Comment 8 Milos Malik 2016-01-29 07:15:38 UTC
SELinux denials caught in permissive mode when repeating what's described in comment#7:
----
time->Fri Jan 29 08:12:39 2016
type=PATH msg=audit(1454051559.334:275): item=1 name="/var/log/nsd.log" inode=18361660 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_log_t:s0 objtype=CREATE
type=PATH msg=audit(1454051559.334:275): item=0 name="/var/log/" inode=16777373 dev=fd:02 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_log_t:s0 objtype=PARENT
type=CWD msg=audit(1454051559.334:275):  cwd="/etc/nsd"
type=SYSCALL msg=audit(1454051559.334:275): arch=c000003e syscall=2 success=yes exit=3 a0=7f94005105c8 a1=441 a2=1b6 a3=24 items=2 ppid=1 pid=27604 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nsd" exe="/usr/sbin/nsd" subj=system_u:system_r:nsd_t:s0 key=(null)
type=AVC msg=audit(1454051559.334:275): avc:  denied  { open } for  pid=27604 comm="nsd" path="/var/log/nsd.log" dev="vda2" ino=18361660 scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1454051559.334:275): avc:  denied  { create } for  pid=27604 comm="nsd" name="nsd.log" scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1454051559.334:275): avc:  denied  { add_name } for  pid=27604 comm="nsd" name="nsd.log" scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
type=AVC msg=audit(1454051559.334:275): avc:  denied  { write } for  pid=27604 comm="nsd" name="log" dev="vda2" ino=16777373 scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
----
time->Fri Jan 29 08:12:39 2016
type=PATH msg=audit(1454051559.334:276): item=0 name="/var/log/nsd.log" inode=18361660 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_log_t:s0 objtype=NORMAL
type=CWD msg=audit(1454051559.334:276):  cwd="/etc/nsd"
type=SYSCALL msg=audit(1454051559.334:276): arch=c000003e syscall=92 success=yes exit=0 a0=7f94005105c8 a1=383 a2=376 a3=1 items=1 ppid=1 pid=27604 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nsd" exe="/usr/sbin/nsd" subj=system_u:system_r:nsd_t:s0 key=(null)
type=AVC msg=audit(1454051559.334:276): avc:  denied  { setattr } for  pid=27604 comm="nsd" name="nsd.log" dev="vda2" ino=18361660 scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
----

Comment 9 Tuomo Soini 2016-01-29 07:42:48 UTC
As normal, all combinations were not tested. I don't use log to file so I haven't hit that one. My fixes were to get nsd-4.x working with out of the box config.

Comment 10 Mike McCune 2016-03-28 22:59:28 UTC
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions

Comment 11 Dag-Erling Smørgrav 2016-04-07 09:18:49 UTC
The new package does not seem to be available on RHN yet.  When will it be published?  Until then, is there any way to download and install it manually?

Comment 15 Miroslav Grepl 2016-04-28 14:13:13 UTC
*** Bug 1302951 has been marked as a duplicate of this bug. ***

Comment 16 Dag-Erling Smørgrav 2016-09-27 14:27:08 UTC
Still waiting for word on when I can expect this fix to be published.  My RHEL7 systems have 3.13.1-60.9, with no mention of this bug in the changelog.

Comment 17 Milos Malik 2016-09-27 17:00:48 UTC
Your systems most likely have selinux-policy-3.13.1-60.el7_2.9 but the fix is present in selinux-policy-3.13.1-69.el7 which will be part of RHEL-7.3.

Comment 19 errata-xmlrpc 2016-11-04 02:26:28 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html


Note You need to log in before you can comment on or make changes to this bug.