From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20041020 Description of problem: it seems there is no named_log_t defined in the current selinux policy files (both on rhel4 and fc3). it would be useful to define such even if the current default named don't log enything somebody (like me) would like to log something. and got the following errors: --------------------------------- Mar 23 09:40:34 blue kernel: audit(1111567234.309:0): avc: denied { search } for pid=2775 exe=/usr/sbin/named name=log dev=md0 ino=4669462 scontext=root:system_r:named_t tcontext=system_u:object_r:var_log_t tclass=dir Mar 23 09:40:34 blue named[2774]: logging channel 'update_log' file '/var/log/named-update': permission denied Mar 23 09:40:34 blue kernel: audit(1111567234.309:0): avc: denied { search } for pid=2775 exe=/usr/sbin/named name=log dev=md0 ino=4669462 scontext=root:system_r:named_t tcontext=system_u:object_r:var_log_t tclass=dir Mar 23 09:40:34 blue named[2774]: logging channel 'query_log' file '/var/log/named-query': permission denied Mar 23 09:40:34 blue kernel: audit(1111567234.310:0): avc: denied { search } for pid=2775 exe=/usr/sbin/named name=log dev=md0 ino=4669462 scontext=root:system_r:named_t tcontext=system_u:object_r:var_log_t tclass=dir Mar 23 09:40:34 blue named[2774]: logging channel 'security_log' file '/var/log/named-auth': permission denied --------------------------------- what more (i don't know why) when i try to relabel the log files to named_t i've got these errors: --------------------------------- Mar 23 09:50:54 blue kernel: audit(1111567854.706:0): avc: denied { relabelto } for pid=2922 exe=/usr/bin/chcon name=named-auth dev=md0 ino=4670608 scontext=root:system_r:unconfined_t tcontext=root:object_r:named_t tclass=file Mar 23 09:50:54 blue kernel: audit(1111567854.707:0): avc: denied { relabelto } for pid=2922 exe=/usr/bin/chcon name=named-query dev=md0 ino=4670491 scontext=root:system_r:unconfined_t tcontext=root:object_r:named_t tclass=file Mar 23 09:50:54 blue kernel: audit(1111567854.707:0): avc: denied { relabelto } for pid=2922 exe=/usr/bin/chcon name=named-update dev=md0 ino=4669631 scontext=root:system_r:unconfined_t tcontext=root:object_r:named_t tclass=file --------------------------------- Version-Release number of selected component (if applicable): bind-9.2.4-2 selinux-policy-targeted-1.17.30-2.52.1 How reproducible: Always Steps to Reproduce: 1. restart named 2. and you see it in the messages 3. Actual Results: denied Expected Results: create a new file and able to append into the log file Additional info: default named don't use log file:-(
Please update to latest U1 policy. Currently available on ftp://people.redhat.com/dwalsh/SELinux/RHEL4/{policycoreutils, selinux-policy-targeted} Also install selinux-policy-targeted-sources. We should be able to make a minor change to policy to allow named to write log files. You will need to edit /etc/selinux/targeted/src/policy/domains/program/named.te and add a line log_domain(named) Then edit /etc/selinux/targeted/src/policy/file_contexts/program/named.fc /var/log/named.* -- system_u:object_r:named_log_t Then execute make -c /etc/selinux/targeted/src/policy load restorecon -v /var/log/named* service named restart If that works I will add that policy. Dan
Jason can you try this out also? Dan
first of all make -C not make -c :-) anyway it working although it'd be better to create a new rpm and the don't need to edit the policy files:-((( but i found another bug... # rndc stats rndc: 'stats' failed: permission denied so it seems named can't write out the statistic file:-(
I will add to the policy file. I think the stats are neede to be written to a subdirectory, of named. Normal protection will not allow named to write to the /var/named directory. Sorry about -C.
then add write access to that one file or create a subdir into /var/named with such files like statistic and dump file and give write acces to it and/or reconfigure and recompile bind to this new default. since currently this is not usable (even if i define different path for this files). just my 2c. ps. may i get a notice when the new policy files rpm are uploaded (i assume official rh update will not be in the near future:-() thanks.
The default named.conf file makes the default statistics and dumpdb log file location: dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.db"; because the /var/named/data directory is given the correct ownership (named:named) for named to create and write files . Do you have these statements in your named.conf ? If not, you probably maintain your own configuration files which were retained during upgrade. By default, as a security measure, named is not allowed to create or write files in its working directory ($ROOTDIR/var/named) . This can be changed by setting the ownership of /var/named to named:named and by setting the SELinux boolean "named_write_master_zones" to True (1) . So the solution to this problem is to either: o Change the ownership of $ROOTDIR/var/named to named:named and $ setsebool named_write_master_zones 1 OR o Make the location of all files named can write / create /var/named/data (for debug logs, statistics files, database dumps) or /var/named/slaves for slave or dynamically updatable zone files .
thanks. but anyway it'd be useful to change the default (ie. hardcoded into bind) locations to this "default in the example conf file".
Added named_log_t policy to selinux-policy-targeted-1.17.30-2.93 in Fedora. You can try this on RHEL and if it works it will get moved into U2 release. ftp://people.redhat.com/dwalsh/SELinux/FC3 Dan
Tonight, I got on a RHEL4U3 system (selinux-policy-targeted-1.17.30-2.126) following message: avc: denied { setattr } for pid=28446 comm="syslog-ng" name="named.log" dev=hda5 ino=116 scontext=root:system_r:syslogd_t tcontext=system_u:object_r:named_log_t tclass=file I've updated now to selinux-policy-targeted-1.17.30-2.128 and will further watch on. Related entries in syslog-ng.conf: destination d_named { file("/var/log/named.log"); }; filter f_named { facility(local0); }; log { source(s_sys); filter(f_named); destination(d_named); };
Is there a special handling of named.log somewhere configured? Digging deeper I found: # ls -Z /var/log/named.log -rw------- root root system_u:object_r:named_log_t /var/log/named.log Hmm, this file was previously generated by syslog, now syslog was replaced by syslog-ng Is this a result of relabling which I've done because of another issue? Not nice, if there is no related toggle for that (switching from named-log-via-syslog to named-log-itself) -> feature request
chcon -t var_log_t /var/log/named.log You should add a line to /etc/selinux/targeted/contexts/files/file_context.local /var/log/named.log -- system_u:object_r:var_log_t To prevent the relabeling from changing it again. Dan
Hmm, ok, but would it be not better to make this default (or remove the made changes) and recommend related changes for those who enable named direct logging to file in /var/log? This would make more sense to me than following (too magic): /var/log/named.* -- system_u:object_r:named_log_t Am I right that such changes can't be toggled by a selinux boolean? Or other solution: create /var/log/named/ directory and set this to named_log_t