Bug 151910 - selinux don't allow named to create and write it's log file
selinux don't allow named to create and write it's log file
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-03-23 09:27 EST by Levente Farkas
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version: 1.25.4-10.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-15 12:00:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Levente Farkas 2005-03-23 09:27:22 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20041020

Description of problem:
it seems there is no named_log_t defined in the current selinux policy files (both on rhel4 and fc3). it would be useful to define such even if the current default named don't log enything somebody (like me) would like to log something. and got the following errors:
---------------------------------
Mar 23 09:40:34 blue kernel: audit(1111567234.309:0): avc:  denied  { search } for  pid=2775 exe=/usr/sbin/named name=log dev=md0 ino=4669462 scontext=root:system_r:named_t tcontext=system_u:object_r:var_log_t tclass=dir
Mar 23 09:40:34 blue named[2774]: logging channel 'update_log' file '/var/log/named-update': permission denied
Mar 23 09:40:34 blue kernel: audit(1111567234.309:0): avc:  denied  { search } for  pid=2775 exe=/usr/sbin/named name=log dev=md0 ino=4669462 scontext=root:system_r:named_t tcontext=system_u:object_r:var_log_t tclass=dir
Mar 23 09:40:34 blue named[2774]: logging channel 'query_log' file '/var/log/named-query': permission denied
Mar 23 09:40:34 blue kernel: audit(1111567234.310:0): avc:  denied  { search } for  pid=2775 exe=/usr/sbin/named name=log dev=md0 ino=4669462 scontext=root:system_r:named_t tcontext=system_u:object_r:var_log_t tclass=dir
Mar 23 09:40:34 blue named[2774]: logging channel 'security_log' file '/var/log/named-auth': permission denied
---------------------------------
what more (i don't know why) when i try to relabel the log files to named_t i've got these errors:
---------------------------------
Mar 23 09:50:54 blue kernel: audit(1111567854.706:0): avc:  denied  { relabelto } for  pid=2922 exe=/usr/bin/chcon name=named-auth dev=md0 ino=4670608 scontext=root:system_r:unconfined_t tcontext=root:object_r:named_t tclass=file
Mar 23 09:50:54 blue kernel: audit(1111567854.707:0): avc:  denied  { relabelto } for  pid=2922 exe=/usr/bin/chcon name=named-query dev=md0 ino=4670491 scontext=root:system_r:unconfined_t tcontext=root:object_r:named_t tclass=file
Mar 23 09:50:54 blue kernel: audit(1111567854.707:0): avc:  denied  { relabelto } for  pid=2922 exe=/usr/bin/chcon name=named-update dev=md0 ino=4669631 scontext=root:system_r:unconfined_t tcontext=root:object_r:named_t tclass=file
--------------------------------- 

Version-Release number of selected component (if applicable):
bind-9.2.4-2 selinux-policy-targeted-1.17.30-2.52.1

How reproducible:
Always

Steps to Reproduce:
1. restart named
2. and you see it in the messages
3.
  

Actual Results:  denied

Expected Results:  create a new file and able to append into the log file

Additional info:

default named don't use log file:-(
Comment 1 Daniel Walsh 2005-03-23 09:42:33 EST
Please update to latest U1 policy.  Currently available on 
ftp://people.redhat.com/dwalsh/SELinux/RHEL4/{policycoreutils,
selinux-policy-targeted}

Also install selinux-policy-targeted-sources.  We should be able to make a minor
change to policy to allow named to write log files.

You will need to edit /etc/selinux/targeted/src/policy/domains/program/named.te
and add a line
log_domain(named)

Then edit /etc/selinux/targeted/src/policy/file_contexts/program/named.fc
/var/log/named.*        --  system_u:object_r:named_log_t

Then execute 
make -c /etc/selinux/targeted/src/policy load
restorecon -v /var/log/named*
service named restart

If that works I will add that policy.

Dan

Comment 2 Daniel Walsh 2005-03-23 09:48:39 EST
Jason can you try this out also?


Dan
Comment 3 Levente Farkas 2005-03-23 10:12:59 EST
first of all make -C not make -c :-)
anyway it working although it'd be better to create a new rpm and the don't need
to edit the policy files:-(((
but i found another bug...
# rndc stats
rndc: 'stats' failed: permission denied
so it seems named can't write out the statistic file:-(
Comment 4 Daniel Walsh 2005-03-23 10:24:03 EST
I will add to the policy file.  I think the stats are neede to be written to a
subdirectory, of named.  Normal protection will not allow named to write to the
/var/named directory.

Sorry about -C.  

Comment 5 Levente Farkas 2005-03-23 10:43:03 EST
then add write access to that one file or create a subdir into /var/named with
such files like statistic and dump file and give write acces to it and/or
reconfigure and recompile bind to this new default. since currently this is not
usable (even if i define different path for this files).
just my 2c.

ps. may i get a notice when the new policy files rpm are uploaded (i assume
official rh update will not be in the near future:-() thanks.
Comment 6 Jason Vas Dias 2005-03-23 10:50:56 EST
The default named.conf file makes the default statistics and dumpdb log file
location: 
       dump-file "/var/named/data/cache_dump.db";
       statistics-file "/var/named/data/named_stats.db";
because the /var/named/data directory is given the correct ownership 
(named:named) for named to create and write files .

Do you have these statements in your named.conf ? If not, you probably
maintain your own configuration files which were retained during upgrade.

By default, as a security measure, named is not allowed to create or write
files in its working directory ($ROOTDIR/var/named) .

This can be changed by setting the ownership of /var/named to named:named
and by setting the SELinux boolean "named_write_master_zones" to True (1) .

So the solution to this problem is to either:
 o Change the ownership of $ROOTDIR/var/named to named:named and 
   $ setsebool named_write_master_zones 1
OR
 o Make the location of all files named can write / create /var/named/data
   (for debug logs, statistics files, database dumps) or /var/named/slaves
   for slave or dynamically updatable zone files .

Comment 7 Levente Farkas 2005-03-23 10:59:24 EST
thanks.
but anyway it'd be useful to change the default (ie. hardcoded into bind)
locations to this "default in the example conf file".
Comment 8 Daniel Walsh 2005-03-24 16:45:51 EST
Added named_log_t policy to selinux-policy-targeted-1.17.30-2.93 in Fedora.  You
can try this on RHEL and if it works it will get moved into U2 release.

ftp://people.redhat.com/dwalsh/SELinux/FC3
Dan
Comment 9 Peter Bieringer 2006-04-06 05:37:13 EDT
Tonight, I got on a RHEL4U3 system (selinux-policy-targeted-1.17.30-2.126)
following message:

avc:  denied  { setattr } for  pid=28446 comm="syslog-ng" name="named.log"
dev=hda5 ino=116 scontext=root:system_r:syslogd_t
tcontext=system_u:object_r:named_log_t tclass=file

I've updated now to selinux-policy-targeted-1.17.30-2.128 and will further watch on.

Related entries in syslog-ng.conf:

destination d_named  { file("/var/log/named.log"); };
filter f_named     { facility(local0); };
log { source(s_sys); filter(f_named); destination(d_named); };
Comment 10 Peter Bieringer 2006-04-06 05:51:29 EDT
Is there a special handling of named.log somewhere configured? Digging deeper I
found:

# ls -Z /var/log/named.log
-rw-------  root     root     system_u:object_r:named_log_t    /var/log/named.log

Hmm, this file was previously generated by syslog, now syslog was replaced by
syslog-ng

Is this a result of relabling which I've done because of another issue?

Not nice, if there is no related toggle for that (switching from
named-log-via-syslog to named-log-itself) -> feature request




Comment 11 Daniel Walsh 2006-04-06 14:56:28 EDT
chcon -t var_log_t      /var/log/named.log

You should add a line to /etc/selinux/targeted/contexts/files/file_context.local

/var/log/named.log -- system_u:object_r:var_log_t

To prevent the relabeling from changing it again.

Dan
Comment 12 Peter Bieringer 2006-04-07 08:03:22 EDT
Hmm, ok, but would it be not better to make this default (or remove the made
changes) and recommend related changes for those who enable named direct logging
to file in /var/log?

This would make more sense to me than following (too magic):
/var/log/named.*        --  system_u:object_r:named_log_t

Am I right that such changes can't be toggled by a selinux boolean?

Or other solution: create /var/log/named/ directory and set this to named_log_t

Note You need to log in before you can comment on or make changes to this bug.