Bug 1476187 - Service bind not start due selinux when configured with samba deploy with --dns-backend=BIND9_DLZ
Service bind not start due selinux when configured with samba deploy with --d...
Status: NEW
Product: Fedora
Classification: Fedora
Component: bind (Show other bugs)
27
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Petr Menšík
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-28 04:31 EDT by Dario Lesca
Modified: 2017-12-28 20:36 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dario Lesca 2017-07-28 04:31:41 EDT
Description of problem:

if deploy samba with --dns-backend=BIND9_DLZ, setup bind.conf and set samba folder /var/lib/samba/private/ with right access (see bug 1476175 - https://bugzilla.redhat.com/show_bug.cgi?id=1476175) service bind not start if selinux is enable.

Version-Release number of selected component (if applicable):
Fedora 27 rawhide
# rpm -q samba-dc bind
samba-dc-4.7.0-0.6.rc1.fc27.x86_64
bind-9.11.1-4.P3.fc27.x86_64

How reproducible:
Deploy samba with bind DLZ dns backend and start bind

Steps to Reproduce:

Run samba-tool 
# samba-tool domain provision \
        --realm=dom.loc \
        --domain=dom \
        --dns-backend=BIND9_DLZ \
        --use-rfc2307 \
        --server-role=dc \
        --function-level=2008_R2

configure bind, add into /etc/named.conf this:
(into option session)
   tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

(at the end)
   include "/var/lib/samba/private/named.conf";

set samba folder permission with:
# chmod g+rx /var/lib/samba/private/
# chgrp named /var/lib/samba/private/

run systemctl start named

I get this error
● named.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Fri 2017-07-28 10:23:12 CEST; 27s ago
  Process: 1573 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=1/FAILURE)
  Process: 1570 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)

lug 28 10:23:12 server-addc.dom.loc named[1574]: samba_dlz: Failed to connect to /var/lib/samba/private/dns/sam.ldb
lug 28 10:23:12 server-addc.dom.loc named[1574]: dlz_dlopen of 'AD DNS Zone' failed
lug 28 10:23:12 server-addc.dom.loc named[1574]: SDLZ driver failed to load.
lug 28 10:23:12 server-addc.dom.loc named[1574]: DLZ driver failed to load.
lug 28 10:23:12 server-addc.dom.loc named[1574]: loading configuration: failure
lug 28 10:23:12 server-addc.dom.loc named[1574]: exiting (due to fatal error)
lug 28 10:23:12 server-addc.dom.loc systemd[1]: named.service: Control process exited, code=exited status=1
lug 28 10:23:12 server-addc.dom.loc systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).
lug 28 10:23:12 server-addc.dom.loc systemd[1]: named.service: Unit entered failed state.
lug 28 10:23:12 server-addc.dom.loc systemd[1]: named.service: Failed with result 'exit-code'.

This is what I get into /var/log/audit/audit.log

type=SERVICE_START msg=audit(1501230403.462:257): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=named-setup-rndc comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1501230403.462:258): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=named-setup-rndc comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1501230403.625:259): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=named comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'


If I disable selinux (setenforce 0) service start property and samba work great.
 
Actual results:

service named not start if selinux is enable

Expected results:
service named start without disable selinux

Additional info:
Comment 1 Jan Kurik 2017-08-15 04:56:30 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.
Comment 2 Dario Lesca 2017-09-28 08:32:47 EDT
I have install last version of Fedora 27 (Fedora-Server-netinst-x86_64-27-20170926.n.0.iso) and try to deploy Samba AD-DC into BIND_DLZ mode.

This is what I have done after f27 server fresh install:

sudo dnf install samba-client samba-dc samba-winbind attr acl krb5-workstation tdb-tools samba-winbind-clients python bind bind-utils samba-dc-bind-dlz

sudo mv /etc/krb5.conf /etc/krb5.conf.$(date +%s)

sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.$(date +%s)

sudo samba-tool domain provision \
        --realm=samba.loc \
        --domain=samba \
        --dns-backend=BIND9_DLZ \
        --use-rfc2307 \
        --server-role=dc \
        --function-level=2008_R2 \

sudo cp -a /var/lib/samba/private/krb5.conf /etc/krb5.conf

At this point I have configure /etc/named.conf like /var/lib/samba/bind-dns/named.txt say:

Add into global options this:
 tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";

And at the eof:
 include "/var/lib/samba/bind-dns/named.conf";

Then:
 sudo chcon -t named_conf_t /var/lib/samba/bind-dns/dns.keytab

But if I do "systemctl restart named", named wont start with this error

set 27 16:28:56 server-addc.localdomain named[2025]: Loading 'AD DNS Zone' using driver dlopen
set 27 16:28:57 server-addc.localdomain named[2025]: samba_dlz: Failed to connect to /var/lib/samba/bind-dns/dns/sam.ldb
set 27 16:28:57 server-addc.localdomain named[2025]: dlz_dlopen of 'AD DNS Zone' failed

But none SElinux error is report into log

I look into /var/lib/samba/bind-dns/dns/* and I see all file are not market for named, then I try run:

sudo chcon -t named_conf_t /var/lib/samba/bind-dns/dns -R

and rerun "systemctl restart named"

Bind not start, but at this point into log I see this SElinux error message:

set 27 16:31:48 server-addc.localdomain named[2072]: Loading 'AD DNS Zone' using driver dlopen
set 27 16:31:49 server-addc.localdomain audit[2072]: AVC avc:  denied  { write } for  pid=2072 comm="named" name="sam.ldb" dev="dm-2" ino=1068765 scon
set 27 16:31:49 server-addc.localdomain named[2072]: samba_dlz: Failed to connect to /var/lib/samba/bind-dns/dns/sam.ldb

If i disable selinux (setenforce 0) named start and work property.

Question:

How to SElinux should be setup to make sure that bind and samba work together?

I thing It's better put this setting into bind or samba package ... or some other package, (I'm not a developer or packager)

Many thanks

Dario Lesca
Comment 3 Dario Lesca 2017-09-28 08:52:13 EDT
I have try this setting:

chcon -t named_var_run_t /var/lib/samba/bind-dns/dns -R

then

sudo setenforce 1 

and now bind start.

It's possible to set this setting into bind or samba package?

Thanks

Dario
Comment 4 Petr Menšík 2017-10-31 13:48:00 EDT
Hi Dario,

chcon is not enough for distribution, it has to be reset by restorecon. I think 
/etc/selinux/targeted/contexts/files/file_contexts needs one more line:

/var/lib/samba/bind-dns/dns(/.*)?       system_u:object_r:named_cache_t:s0

This file is owned by selinux-policy-targeted package. Please use named_cache_t instead, that is used for dynamic zones in bind.

You could then reset contexts from %post script of samba package.
$ restorecon -R /var/lib/samba/bind-dns/dns

I wonder if both samba and bind would access this file at the same time? Is it designed to be written by both samba and bind?

In general, DLZ modules should be installed into /usr/lib*/bind I think. I would suggest name /usr/lib*/bind/dlz_sam.so. I think it does not make sense to distribute modules for different bind versions than packaged (current is bind 9.11 for 26+).

Bind supports also chroot mode (bind-chroot package), that would not have access to /var/lib/samba/bind-dns/dns without specific setup of chroot (handled by /usr/libexec/setup-named-chroot.sh). Because of that configuration and keytab for bind should be in /etc/named/, where it is already handled by setup script. The same with DLZ module location.

Does it require access to samba database files? Which files files or directories  it requires?
Comment 5 Dario Lesca 2017-11-01 13:38:01 EDT
Hi Petr, I'm not able to reply to your questions, then I have send these questions to Samba Technical ML:

https://lists.samba.org/archive/samba-technical/2017-November/123627.html

I hope this help

Many thanks

Dario
Comment 6 Dario Lesca 2017-11-01 16:55:55 EDT
This is the Rowland reply (01/11/2017, 20.42 +0000):

Hi Dario, whilst I don't know all the answers, I will answer to the
best of my abilities ;-)

On Wed, 01 Nov 2017 18:11:17 +0100
Dario Lesca via samba-technical <samba-technical@lists.samba.org> wrote:

> I have fill this bug into Bugzilla for Fedora 27:
> https://bugzilla.redhat.com/show_bug.cgi?id=1476187
> 
> Now Petr Menšík ask to me these questions:
> 
> > Product: Fedora
> > Version: 27
> > Component: bind
> > 
> > Petr Menšík <pemensik@redhat.com> has asked Dario Lesca
> > <d.lesca@solinos.it> for needinfo:
> 
> > Bug 1476187: Service bind not start due selinux when configured with
> > samba deploy with --dns-backend=BIND9_DLZ
> > https://bugzilla.redhat.com/show_bug.cgi?id=1476187
> > 
> > 
> > 
> > --- Comment #4 from Petr Menšík <pemensik@redhat.com> ---
> > Hi Dario,
> > 
> > chcon is not enough for distribution, it has to be reset by
> > restorecon. I think
> > 
> > /etc/selinux/targeted/contexts/files/file_contexts needs one more
> > line:
> > 
> > /var/lib/samba/bind-dns/dns(/.*)?
> > system_u:object_r:named_cache_t:s0
> > 
> > This file is owned by selinux-policy-targeted package. Please use
> > named_cache_t instead, that is used for dynamic zones in bind.
> > 
> > You could then reset contexts from %post script of samba package.
> > $ restorecon -R /var/lib/samba/bind-dns/dns
> > 
> > I wonder if both samba and bind would access this file at the same
> > time? 

Yes

> 
> > Is it designed to be written by both samba and bind?

Yes

> > 
> > In general, DLZ modules should be installed into /usr/lib*/bind I
> > think. I would suggest name /usr/lib*/bind/dlz_sam.so. I think it
> > does not make sense to distribute modules for different bind
> > versions than packaged (current is bind 9.11 for 26+).

If you read the 'named.conf' file that Samba ships, you will find that
there a few of the .so files, they are called 'dlz_bind9_${VER}.so,
where '${VER}' is the Bind minor version.

> > 
> > Bind supports also chroot mode (bind-chroot package), that would not
> > have access to /var/lib/samba/bind-dns/dns without specific setup of
> > chroot (handled by /usr/libexec/setup-named-chroot.sh). Because of
> > that configuration and keytab for bind should be in /etc/named/,
> > where it is already handled by setup script. The same with DLZ
> > module location.

The 'chroot problem' will not be a problem at all, you cannot run Bind9
in a chroot with a Samba AD DC ;-)

> > 
> > Does it require access to samba database files?

OH yes

> 
> > Which files files or directories  it requires?

Obviously the 'dns' files

> 
> I'm not a developer, I'm only a simple test user and I cannot answer
> to Peter.

I think 'Peter' needs to talk to the red-hat sponsored Samba developers
that are working on getting the Samba AD DC to work with MIT Kerberos.

Rowland

Note You need to log in before you can comment on or make changes to this bug.