Bug 1302951 - NSD selinux module policy
NSD selinux module policy
Status: CLOSED DUPLICATE of bug 1293140
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.2
All Linux
unspecified Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-29 01:20 EST by Manish Saxena
Modified: 2016-09-20 00:27 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-04-28 10:13:13 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Manish Saxena 2016-01-29 01:20:27 EST
Description of problem:

Red Hat Enterprise Linux ship selinux-policy-targeted package wich have "nsd" selinux policy module. This module work fine for NSD version 3. But not for NSD version 4.

use NSD dns software (http://www.nlnetlabs.nl/projects/nsd/)

When trying to start daemon it fails

Please, update nsd selinux policy module to support nsd-4 which ships from EPEL (nsd-4.1.7)

# systemctl start nsd

# systemctl status nsd
● nsd.service - NSD DNS Server
   Loaded: loaded (/usr/lib/systemd/system/nsd.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Wed 2016-01-27 16:05:23 MSK; 3s ago
  Process: 14770 ExecStopPost=/bin/rm -f /var/lib/nsd/xfrd.state (code=exited, status=0/SUCCESS)
  Process: 14768 ExecStart=/usr/sbin/nsd -d -c /etc/nsd/nsd.conf $NSD_EXTRA_OPTS (code=exited, status=1/FAILURE)
 Main PID: 14768 (code=exited, status=1/FAILURE)


# semodule -vl|grep nsd
nsd     1.8.0


# grep denied /var/log/audit/audit.log|grep nsd|audit2allow


#============= nsd_t ==============
allow nsd_t self:capability net_admin;
allow nsd_t tmp_t:dir { write create add_name };
allow nsd_t tmp_t:file { write create open };

#!!!! This avc can be allowed using the boolean 'nis_enabled'
allow nsd_t unreserved_port_t:tcp_socket name_bind;
Version-Release number of selected component (if applicable):


How reproducible:
Everytime

Steps to Reproduce:
1.Install nsd from EPEL
2.
# systemctl start nsd

# systemctl status nsd
● nsd.service - NSD DNS Server
   Loaded: loaded (/usr/lib/systemd/system/nsd.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Wed 2016-01-27 16:05:23 MSK; 3s ago
  Process: 14770 ExecStopPost=/bin/rm -f /var/lib/nsd/xfrd.state (code=exited, status=0/SUCCESS)
  Process: 14768 ExecStart=/usr/sbin/nsd -d -c /etc/nsd/nsd.conf $NSD_EXTRA_OPTS (code=exited, status=1/FAILURE)
 Main PID: 14768 (code=exited, status=1/FAILURE)


Actual results:
Unable to start

Expected results:
Should start

Additional info:

$ more audit.log | grep 1453899923
type=AVC msg=audit(1453899923.514:191346): avc:  denied  { net_admin } for  pid=14768 comm="nsd" capability=12  scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:system_r:nsd_t:s0 tclass=capability
type=AVC msg=audit(1453899923.514:191347): avc:  denied  { net_admin } for  pid=14768 comm="nsd" capability=12  scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:system_r:nsd_t:s0 tclass=capability
type=AVC msg=audit(1453899923.514:191348): avc:  denied  { net_admin } for  pid=14768 comm="nsd" capability=12  scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:system_r:nsd_t:s0 tclass=capability
type=AVC msg=audit(1453899923.514:191349): avc:  denied  { net_admin } for  pid=14768 comm="nsd" capability=12  scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:system_r:nsd_t:s0 tclass=capability
type=AVC msg=audit(1453899923.516:191350): avc:  denied  { name_bind } for  pid=14768 comm="nsd" src=8952 scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
Comment 2 Milos Malik 2016-01-29 01:58:13 EST
I believe that this bug is a duplicate of BZ#1293140.
Comment 3 Miroslav Grepl 2016-04-28 10:13:13 EDT

*** This bug has been marked as a duplicate of bug 1293140 ***

Note You need to log in before you can comment on or make changes to this bug.