Bug 1297737 - selinux-policy for nsd fails to handle xfr-dir permissions
selinux-policy for nsd fails to handle xfr-dir permissions
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.0
x86_64 Linux
unspecified Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-12 05:54 EST by Sten Spans
Modified: 2016-04-28 09:19 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-04-28 09:19:05 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Sten Spans 2016-01-12 05:54:11 EST
Description of problem:
Running NSD on centos-7 with selinux enabled doesn't work because writes to /tmp
for the default xfr-dir setting are not allowed.

Version-Release number of selected component (if applicable):

nsd-4.1.7-3.el7.x86_64

How reproducible:
Enable selinux, install NSD, start nsd


Steps to Reproduce:
1.
2.
3.

Actual results:

Jan 12 11:47:05 mccmdns3.mccm.mcinfra.net systemd[1]: Starting NSD DNS Server...
Jan 12 11:47:05 mccmdns3.mccm.mcinfra.net nsd[8185]: [2016-01-12 11:47:05.112] nsd[8185]: error: mkdir /tmp/nsd-xfr-8185 failed: Permission denied
Jan 12 11:47:05 mccmdns3.mccm.mcinfra.net nsd[8185]: [2016-01-12 11:47:05.112] nsd[8185]: error: /tmp/nsd-xfr-8185/nsd.8185.task.0: No such file or directory
Jan 12 11:47:05 mccmdns3.mccm.mcinfra.net systemd[1]: nsd.service: main process exited, code=exited, status=1/FAILURE

And in audit.log:
type=AVC msg=audit(1452525158.267:905): avc:  denied  { write } for  pid=29920 comm="nsd" name="tmp" dev="dm-0" ino=138278 scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1452525158.267:905): avc:  denied  { add_name } for  pid=29920 comm="nsd" name="nsd-xfr-29920" scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1452525158.267:905): avc:  denied  { create } for  pid=29920 comm="nsd" name="nsd-xfr-29920" scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir

Expected results:


Additional info:

I was able to get NSD running with the following local policy:

policy_module(nsd-xfr, 1.0)

require {
        type nsd_t;
};

# temp files
type nsd_tmp_t;
files_tmp_file(nsd_tmp_t)

# Allow nsd to create and use temp files and dirs
manage_dirs_pattern(nsd_t, nsd_tmp_t, nsd_tmp_t)
manage_files_pattern(nsd_t, nsd_tmp_t, nsd_tmp_t)
files_tmp_filetrans(nsd_t, nsd_tmp_t, { file dir })
Comment 1 Fabio Alessandro Locati 2016-02-09 05:54:26 EST
It seems to me that this is a selinux policy bug.
Comment 3 Miroslav Grepl 2016-04-28 09:19:05 EDT
We have fixes in the latest RHEL. You can go with the local policy for now.

Thank you.

Note You need to log in before you can comment on or make changes to this bug.