Bug 1305522 - pdns 4.0.0 alpha 1 fails to start
pdns 4.0.0 alpha 1 fails to start
Status: POST
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-08 08:51 EST by Morten Stevens
Modified: 2017-10-23 10:07 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Morten Stevens 2016-02-08 08:51:54 EST
Description of problem:

The latest technical preview of PowerDNS 4.0.0 alpha 1 fails to start if selinux is set to enforcing.

Version-Release number of selected component (if applicable):

selinux-policy-3.13.1-169.fc24.noarch
pdns-4.0.0-0.2.alpha1.fc24.x86_64

How reproducible:

1. yum install pdns
2. systemctl start pdns

Actual results:

/var/log/messages

Feb  8 14:46:03 fc24 systemd: Starting PowerDNS Authoritative Server...
Feb  8 14:46:03 fc24 audit: AVC avc:  denied  { mounton } for  pid=1873 comm="(s_server)" path="/etc" dev="dm-0" ino=6029313 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
Feb  8 14:46:03 fc24 audit: SELINUX_ERR op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:pdns_t:s0
Feb  8 14:46:03 fc24 audit: AVC avc:  denied  { execute_no_trans } for  pid=1873 comm="(s_server)" path="/usr/sbin/pdns_server" dev="dm-0" ino=1443993 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pdns_exec_t:s0 tclass=file permissive=0
Feb  8 14:46:03 fc24 systemd: pdns.service: Failed at step EXEC spawning /usr/sbin/pdns_server: Permission denied
Feb  8 14:46:03 fc24 systemd: pdns.service: Control process exited, code=exited status=203
Feb  8 14:46:03 fc24 systemd: Failed to start PowerDNS Authoritative Server.
Feb  8 14:46:03 fc24 systemd: pdns.service: Unit entered failed state.
Feb  8 14:46:03 fc24 audit: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Feb  8 14:46:03 fc24 systemd: pdns.service: Failed with result 'exit-code'.
Feb  8 14:46:03 fc24 systemd: pdns.service: Service hold-off time over, scheduling restart.
Feb  8 14:46:03 fc24 systemd: Stopped PowerDNS Authoritative Server.
Feb  8 14:46:03 fc24 audit: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb  8 14:46:03 fc24 audit: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb  8 14:46:03 fc24 systemd: Starting PowerDNS Authoritative Server...
Feb  8 14:46:03 fc24 audit: AVC avc:  denied  { mounton } for  pid=1881 comm="(s_server)" path="/etc" dev="dm-0" ino=6029313 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
Feb  8 14:46:03 fc24 audit: SELINUX_ERR op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:pdns_t:s0
Feb  8 14:46:03 fc24 audit: AVC avc:  denied  { execute_no_trans } for  pid=1881 comm="(s_server)" path="/usr/sbin/pdns_server" dev="dm-0" ino=1443993 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pdns_exec_t:s0 tclass=file permissive=0
Feb  8 14:46:03 fc24 systemd: pdns.service: Failed at step EXEC spawning /usr/sbin/pdns_server: Permission denied
Feb  8 14:46:03 fc24 systemd: pdns.service: Control process exited, code=exited status=203
Feb  8 14:46:03 fc24 systemd: Failed to start PowerDNS Authoritative Server.
Feb  8 14:46:03 fc24 systemd: pdns.service: Unit entered failed state.

/var/log/audit/audit.log

type=AVC msg=audit(1454939349.865:438): avc:  denied  { mounton } for  pid=2008 comm="(s_server)" path="/etc" dev="dm-0" ino=6029313 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=SELINUX_ERR msg=audit(1454939349.866:439): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:pdns_t:s0
type=AVC msg=audit(1454939349.866:440): avc:  denied  { execute_no_trans } for  pid=2008 comm="(s_server)" path="/usr/sbin/pdns_server" dev="dm-0" ino=1443993 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pdns_exec_t:s0 tclass=file permissive=0
type=SERVICE_START msg=audit(1454939349.871:441): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
type=SERVICE_START msg=audit(1454939350.082:442): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1454939350.082:443): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1454939350.098:444): avc:  denied  { mounton } for  pid=2013 comm="(s_server)" path="/etc" dev="dm-0" ino=6029313 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=SELINUX_ERR msg=audit(1454939350.099:445): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:pdns_t:s0
type=AVC msg=audit(1454939350.099:446): avc:  denied  { execute_no_trans } for  pid=2013 comm="(s_server)" path="/usr/sbin/pdns_server" dev="dm-0" ino=1443993 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pdns_exec_t:s0 tclass=file permissive=0
type=SERVICE_START msg=audit(1454939350.104:447): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
type=SERVICE_START msg=audit(1454939350.332:448): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1454939350.332:449): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1454939350.347:450): avc:  denied  { mounton } for  pid=2020 comm="(s_server)" path="/etc" dev="dm-0" ino=6029313 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=SELINUX_ERR msg=audit(1454939350.348:451): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:pdns_t:s0
type=AVC msg=audit(1454939350.348:452): avc:  denied  { execute_no_trans } for  pid=2020 comm="(s_server)" path="/usr/sbin/pdns_server" dev="dm-0" ino=1443993 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pdns_exec_t:s0 tclass=file permissive=0
type=SERVICE_START msg=audit(1454939350.353:453): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
type=SERVICE_START msg=audit(1454939350.582:454): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1454939350.582:455): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1454939350.605:456): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1454939350.605:457): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Comment 1 Morten Stevens 2016-02-24 05:00:30 EST
Update: pdns fails to start with "NoNewPrivileges=true" if selinux is set to enforcing.
If I remove "NoNewPrivileges=true" from the systemd unit file pdns starts fine...
Comment 2 Jan Kurik 2016-02-24 10:52:37 EST
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase
Comment 3 Daniel Walsh 2016-02-26 16:34:41 EST
We have seen similar issues to this using docker and prctl(NO_NEW_PRIVS)

TO make this work we need to change SELinux policy to do something like

typebounds init_t pdns_t;
allow init_t pdns_exec_t:file entrypoint;


NO_NEW_PRIVS is preventing SELinux transitioning. unless the parent process bounds the lower process, in this case init_t has to have all of the access in pdns_exec_t.
Comment 4 Jan Kurik 2016-07-26 00:38:13 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle.
Changing version to '25'.
Comment 5 Morten Stevens 2017-10-15 11:11:41 EDT
Any news here? I have tested it with the latest selinux-policy (rawhide) and the error still exists if I set NoNewPrivileges=true to the systemd unit file.

type=SELINUX_ERR msg=audit(1508071664.780:538): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:pdns_t:s0
type=AVC msg=audit(1508071664.780:539): avc:  denied  { map } for  pid=2834 comm="pdns_server" path="/usr/sbin/pdns_server" dev="dm-0" ino=1444669 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pdns_exec_t:s0 tclass=file permissive=0

It would be great to get an update for this issue.
Comment 6 Lukas Vrabec 2017-10-16 11:03:13 EDT
I added fixes  do github selinux-policy repo. They should be included in the next selinux-policy Rawhide and F27 update.
Comment 7 Morten Stevens 2017-10-20 09:48:02 EDT
(In reply to Lukas Vrabec from comment #6)
> I added fixes  do github selinux-policy repo. They should be included in the
> next selinux-policy Rawhide and F27 update.

Thank you. I tried the latest selinux-policy package, but I still got these errors:

# rpm -q selinux-policy
selinux-policy-3.13.1-297.fc28.noarch 

type=AVC msg=audit(1508506948.449:4773): avc:  denied  { nnp_transition } for  pid=27417 comm="(s_server)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:pdns_t:s0 tclass=process2 permissive=0
type=SELINUX_ERR msg=audit(1508506948.449:4774): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:pdns_t:s0
type=AVC msg=audit(1508506948.450:4775): avc:  denied  { map } for  pid=27417 comm="pdns_server" path="/usr/sbin/pdns_server" dev="sda3" ino=3457732 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pdns_exec_t:s0 tclass=file permissive=0
type=ANOM_ABEND msg=audit(1508506948.450:4776): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:init_t:s0 pid=27417 comm="pdns_server" exe="/usr/sbin/pdns_server" sig=11 res=1

Maybe the fix in selinux-policy-3.13.1-297 is not enough?
Comment 8 Lukas Vrabec 2017-10-22 09:18:32 EDT
Morten, 

Agree, I added fixes, selinux-policy-3.13.1-298 will fix it.
Comment 9 Morten Stevens 2017-10-23 10:00:29 EDT
Lukas,

Thank you. I tried the latest selinux-policy-3.13.1-298 package and the issue has been fixed. This will be also backported with the next F27 update?
Comment 10 Lukas Vrabec 2017-10-23 10:07:56 EDT
Yes, It will be part of next selinux-policy F27 update.

Note You need to log in before you can comment on or make changes to this bug.