1305522 – pdns 4.0.0 alpha 1 fails to start

Bug 1305522 - pdns 4.0.0 alpha 1 fails to start

Summary: pdns 4.0.0 alpha 1 fails to start

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-02-08 13:51 UTC by Morten Stevens
Modified:	2018-02-20 11:22 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-02-20 11:22:01 UTC
Type:	Bug
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Morten Stevens 2016-02-08 13:51:54 UTC

Description of problem:

The latest technical preview of PowerDNS 4.0.0 alpha 1 fails to start if selinux is set to enforcing.

Version-Release number of selected component (if applicable):

selinux-policy-3.13.1-169.fc24.noarch
pdns-4.0.0-0.2.alpha1.fc24.x86_64

How reproducible:

1. yum install pdns
2. systemctl start pdns

Actual results:

/var/log/messages

Feb  8 14:46:03 fc24 systemd: Starting PowerDNS Authoritative Server...
Feb  8 14:46:03 fc24 audit: AVC avc:  denied  { mounton } for  pid=1873 comm="(s_server)" path="/etc" dev="dm-0" ino=6029313 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
Feb  8 14:46:03 fc24 audit: SELINUX_ERR op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:pdns_t:s0
Feb  8 14:46:03 fc24 audit: AVC avc:  denied  { execute_no_trans } for  pid=1873 comm="(s_server)" path="/usr/sbin/pdns_server" dev="dm-0" ino=1443993 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pdns_exec_t:s0 tclass=file permissive=0
Feb  8 14:46:03 fc24 systemd: pdns.service: Failed at step EXEC spawning /usr/sbin/pdns_server: Permission denied
Feb  8 14:46:03 fc24 systemd: pdns.service: Control process exited, code=exited status=203
Feb  8 14:46:03 fc24 systemd: Failed to start PowerDNS Authoritative Server.
Feb  8 14:46:03 fc24 systemd: pdns.service: Unit entered failed state.
Feb  8 14:46:03 fc24 audit: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Feb  8 14:46:03 fc24 systemd: pdns.service: Failed with result 'exit-code'.
Feb  8 14:46:03 fc24 systemd: pdns.service: Service hold-off time over, scheduling restart.
Feb  8 14:46:03 fc24 systemd: Stopped PowerDNS Authoritative Server.
Feb  8 14:46:03 fc24 audit: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb  8 14:46:03 fc24 audit: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb  8 14:46:03 fc24 systemd: Starting PowerDNS Authoritative Server...
Feb  8 14:46:03 fc24 audit: AVC avc:  denied  { mounton } for  pid=1881 comm="(s_server)" path="/etc" dev="dm-0" ino=6029313 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
Feb  8 14:46:03 fc24 audit: SELINUX_ERR op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:pdns_t:s0
Feb  8 14:46:03 fc24 audit: AVC avc:  denied  { execute_no_trans } for  pid=1881 comm="(s_server)" path="/usr/sbin/pdns_server" dev="dm-0" ino=1443993 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pdns_exec_t:s0 tclass=file permissive=0
Feb  8 14:46:03 fc24 systemd: pdns.service: Failed at step EXEC spawning /usr/sbin/pdns_server: Permission denied
Feb  8 14:46:03 fc24 systemd: pdns.service: Control process exited, code=exited status=203
Feb  8 14:46:03 fc24 systemd: Failed to start PowerDNS Authoritative Server.
Feb  8 14:46:03 fc24 systemd: pdns.service: Unit entered failed state.

/var/log/audit/audit.log

type=AVC msg=audit(1454939349.865:438): avc:  denied  { mounton } for  pid=2008 comm="(s_server)" path="/etc" dev="dm-0" ino=6029313 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=SELINUX_ERR msg=audit(1454939349.866:439): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:pdns_t:s0
type=AVC msg=audit(1454939349.866:440): avc:  denied  { execute_no_trans } for  pid=2008 comm="(s_server)" path="/usr/sbin/pdns_server" dev="dm-0" ino=1443993 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pdns_exec_t:s0 tclass=file permissive=0
type=SERVICE_START msg=audit(1454939349.871:441): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
type=SERVICE_START msg=audit(1454939350.082:442): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1454939350.082:443): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1454939350.098:444): avc:  denied  { mounton } for  pid=2013 comm="(s_server)" path="/etc" dev="dm-0" ino=6029313 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=SELINUX_ERR msg=audit(1454939350.099:445): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:pdns_t:s0
type=AVC msg=audit(1454939350.099:446): avc:  denied  { execute_no_trans } for  pid=2013 comm="(s_server)" path="/usr/sbin/pdns_server" dev="dm-0" ino=1443993 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pdns_exec_t:s0 tclass=file permissive=0
type=SERVICE_START msg=audit(1454939350.104:447): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
type=SERVICE_START msg=audit(1454939350.332:448): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1454939350.332:449): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1454939350.347:450): avc:  denied  { mounton } for  pid=2020 comm="(s_server)" path="/etc" dev="dm-0" ino=6029313 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=SELINUX_ERR msg=audit(1454939350.348:451): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:pdns_t:s0
type=AVC msg=audit(1454939350.348:452): avc:  denied  { execute_no_trans } for  pid=2020 comm="(s_server)" path="/usr/sbin/pdns_server" dev="dm-0" ino=1443993 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pdns_exec_t:s0 tclass=file permissive=0
type=SERVICE_START msg=audit(1454939350.353:453): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
type=SERVICE_START msg=audit(1454939350.582:454): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1454939350.582:455): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1454939350.605:456): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1454939350.605:457): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

Comment 1 Morten Stevens 2016-02-24 10:00:30 UTC

Update: pdns fails to start with "NoNewPrivileges=true" if selinux is set to enforcing.
If I remove "NoNewPrivileges=true" from the systemd unit file pdns starts fine...

Comment 2 Jan Kurik 2016-02-24 15:52:37 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase

Comment 3 Daniel Walsh 2016-02-26 21:34:41 UTC

We have seen similar issues to this using docker and prctl(NO_NEW_PRIVS)

TO make this work we need to change SELinux policy to do something like

typebounds init_t pdns_t;
allow init_t pdns_exec_t:file entrypoint;


NO_NEW_PRIVS is preventing SELinux transitioning. unless the parent process bounds the lower process, in this case init_t has to have all of the access in pdns_exec_t.

Comment 4 Jan Kurik 2016-07-26 04:38:13 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle.
Changing version to '25'.

Comment 5 Morten Stevens 2017-10-15 15:11:41 UTC

Any news here? I have tested it with the latest selinux-policy (rawhide) and the error still exists if I set NoNewPrivileges=true to the systemd unit file.

type=SELINUX_ERR msg=audit(1508071664.780:538): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:pdns_t:s0
type=AVC msg=audit(1508071664.780:539): avc:  denied  { map } for  pid=2834 comm="pdns_server" path="/usr/sbin/pdns_server" dev="dm-0" ino=1444669 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pdns_exec_t:s0 tclass=file permissive=0

It would be great to get an update for this issue.

Comment 6 Lukas Vrabec 2017-10-16 15:03:13 UTC

I added fixes  do github selinux-policy repo. They should be included in the next selinux-policy Rawhide and F27 update.

Comment 7 Morten Stevens 2017-10-20 13:48:02 UTC

(In reply to Lukas Vrabec from comment #6)
> I added fixes  do github selinux-policy repo. They should be included in the
> next selinux-policy Rawhide and F27 update.

Thank you. I tried the latest selinux-policy package, but I still got these errors:

# rpm -q selinux-policy
selinux-policy-3.13.1-297.fc28.noarch 

type=AVC msg=audit(1508506948.449:4773): avc:  denied  { nnp_transition } for  pid=27417 comm="(s_server)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:pdns_t:s0 tclass=process2 permissive=0
type=SELINUX_ERR msg=audit(1508506948.449:4774): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:pdns_t:s0
type=AVC msg=audit(1508506948.450:4775): avc:  denied  { map } for  pid=27417 comm="pdns_server" path="/usr/sbin/pdns_server" dev="sda3" ino=3457732 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pdns_exec_t:s0 tclass=file permissive=0
type=ANOM_ABEND msg=audit(1508506948.450:4776): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:init_t:s0 pid=27417 comm="pdns_server" exe="/usr/sbin/pdns_server" sig=11 res=1

Maybe the fix in selinux-policy-3.13.1-297 is not enough?

Comment 8 Lukas Vrabec 2017-10-22 13:18:32 UTC

Morten, 

Agree, I added fixes, selinux-policy-3.13.1-298 will fix it.

Comment 9 Morten Stevens 2017-10-23 14:00:29 UTC

Lukas,

Thank you. I tried the latest selinux-policy-3.13.1-298 package and the issue has been fixed. This will be also backported with the next F27 update?

Comment 10 Lukas Vrabec 2017-10-23 14:07:56 UTC

Yes, It will be part of next selinux-policy F27 update.

Note You need to log in before you can comment on or make changes to this bug.