Bug 1305522 - pdns 4.0.0 alpha 1 fails to start
pdns 4.0.0 alpha 1 fails to start
Status: NEW
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
25
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-08 08:51 EST by Morten Stevens
Modified: 2016-07-26 00:38 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Morten Stevens 2016-02-08 08:51:54 EST
Description of problem:

The latest technical preview of PowerDNS 4.0.0 alpha 1 fails to start if selinux is set to enforcing.

Version-Release number of selected component (if applicable):

selinux-policy-3.13.1-169.fc24.noarch
pdns-4.0.0-0.2.alpha1.fc24.x86_64

How reproducible:

1. yum install pdns
2. systemctl start pdns

Actual results:

/var/log/messages

Feb  8 14:46:03 fc24 systemd: Starting PowerDNS Authoritative Server...
Feb  8 14:46:03 fc24 audit: AVC avc:  denied  { mounton } for  pid=1873 comm="(s_server)" path="/etc" dev="dm-0" ino=6029313 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
Feb  8 14:46:03 fc24 audit: SELINUX_ERR op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:pdns_t:s0
Feb  8 14:46:03 fc24 audit: AVC avc:  denied  { execute_no_trans } for  pid=1873 comm="(s_server)" path="/usr/sbin/pdns_server" dev="dm-0" ino=1443993 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pdns_exec_t:s0 tclass=file permissive=0
Feb  8 14:46:03 fc24 systemd: pdns.service: Failed at step EXEC spawning /usr/sbin/pdns_server: Permission denied
Feb  8 14:46:03 fc24 systemd: pdns.service: Control process exited, code=exited status=203
Feb  8 14:46:03 fc24 systemd: Failed to start PowerDNS Authoritative Server.
Feb  8 14:46:03 fc24 systemd: pdns.service: Unit entered failed state.
Feb  8 14:46:03 fc24 audit: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Feb  8 14:46:03 fc24 systemd: pdns.service: Failed with result 'exit-code'.
Feb  8 14:46:03 fc24 systemd: pdns.service: Service hold-off time over, scheduling restart.
Feb  8 14:46:03 fc24 systemd: Stopped PowerDNS Authoritative Server.
Feb  8 14:46:03 fc24 audit: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb  8 14:46:03 fc24 audit: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb  8 14:46:03 fc24 systemd: Starting PowerDNS Authoritative Server...
Feb  8 14:46:03 fc24 audit: AVC avc:  denied  { mounton } for  pid=1881 comm="(s_server)" path="/etc" dev="dm-0" ino=6029313 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
Feb  8 14:46:03 fc24 audit: SELINUX_ERR op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:pdns_t:s0
Feb  8 14:46:03 fc24 audit: AVC avc:  denied  { execute_no_trans } for  pid=1881 comm="(s_server)" path="/usr/sbin/pdns_server" dev="dm-0" ino=1443993 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pdns_exec_t:s0 tclass=file permissive=0
Feb  8 14:46:03 fc24 systemd: pdns.service: Failed at step EXEC spawning /usr/sbin/pdns_server: Permission denied
Feb  8 14:46:03 fc24 systemd: pdns.service: Control process exited, code=exited status=203
Feb  8 14:46:03 fc24 systemd: Failed to start PowerDNS Authoritative Server.
Feb  8 14:46:03 fc24 systemd: pdns.service: Unit entered failed state.

/var/log/audit/audit.log

type=AVC msg=audit(1454939349.865:438): avc:  denied  { mounton } for  pid=2008 comm="(s_server)" path="/etc" dev="dm-0" ino=6029313 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=SELINUX_ERR msg=audit(1454939349.866:439): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:pdns_t:s0
type=AVC msg=audit(1454939349.866:440): avc:  denied  { execute_no_trans } for  pid=2008 comm="(s_server)" path="/usr/sbin/pdns_server" dev="dm-0" ino=1443993 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pdns_exec_t:s0 tclass=file permissive=0
type=SERVICE_START msg=audit(1454939349.871:441): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
type=SERVICE_START msg=audit(1454939350.082:442): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1454939350.082:443): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1454939350.098:444): avc:  denied  { mounton } for  pid=2013 comm="(s_server)" path="/etc" dev="dm-0" ino=6029313 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=SELINUX_ERR msg=audit(1454939350.099:445): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:pdns_t:s0
type=AVC msg=audit(1454939350.099:446): avc:  denied  { execute_no_trans } for  pid=2013 comm="(s_server)" path="/usr/sbin/pdns_server" dev="dm-0" ino=1443993 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pdns_exec_t:s0 tclass=file permissive=0
type=SERVICE_START msg=audit(1454939350.104:447): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
type=SERVICE_START msg=audit(1454939350.332:448): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1454939350.332:449): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1454939350.347:450): avc:  denied  { mounton } for  pid=2020 comm="(s_server)" path="/etc" dev="dm-0" ino=6029313 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=SELINUX_ERR msg=audit(1454939350.348:451): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:pdns_t:s0
type=AVC msg=audit(1454939350.348:452): avc:  denied  { execute_no_trans } for  pid=2020 comm="(s_server)" path="/usr/sbin/pdns_server" dev="dm-0" ino=1443993 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pdns_exec_t:s0 tclass=file permissive=0
type=SERVICE_START msg=audit(1454939350.353:453): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
type=SERVICE_START msg=audit(1454939350.582:454): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1454939350.582:455): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1454939350.605:456): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1454939350.605:457): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pdns comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Comment 1 Morten Stevens 2016-02-24 05:00:30 EST
Update: pdns fails to start with "NoNewPrivileges=true" if selinux is set to enforcing.
If I remove "NoNewPrivileges=true" from the systemd unit file pdns starts fine...
Comment 2 Jan Kurik 2016-02-24 10:52:37 EST
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase
Comment 3 Daniel Walsh 2016-02-26 16:34:41 EST
We have seen similar issues to this using docker and prctl(NO_NEW_PRIVS)

TO make this work we need to change SELinux policy to do something like

typebounds init_t pdns_t;
allow init_t pdns_exec_t:file entrypoint;


NO_NEW_PRIVS is preventing SELinux transitioning. unless the parent process bounds the lower process, in this case init_t has to have all of the access in pdns_exec_t.
Comment 4 Jan Kurik 2016-07-26 00:38:13 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle.
Changing version to '25'.

Note You need to log in before you can comment on or make changes to this bug.