Bug 1537971 - freeIPA DNSSEC fails with execute_no_trans for ods-signer
Summary: freeIPA DNSSEC fails with execute_no_trans for ods-signer
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 27
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-01-24 08:31 UTC by Christian Heimes
Modified: 2018-02-06 15:31 UTC (History)
7 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2018-02-06 15:31:04 UTC


Attachments (Terms of Use)

Description Christian Heimes 2018-01-24 08:31:38 UTC
Description of problem:
I'm no longer able to enable DNSSEC support in freeIPA. ``ipa dnszone-mod $DOMAIN --dnssec=true`` fails silently with a AVC. After I have put the opendnssec_t domain into permissive mode, DNSSEC support works as expected. The ods-signer binary is part of opendnssec package.

avc:  denied  { execute_no_trans } for  pid=104865 comm="sh" path="/usr/sbin/ods-signer" dev="dm-0" ino=180013 scontext=system_u:system_r:opendnssec_t:s0 tcontext=system_u:object_r:opendnssec_exec_t:s0 tclass=file permissive=1


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-283.21.fc27.noarch
opendnssec-1.4.14-1.fc27.x86_64
freeipa-server-dns-4.6.2.dev201801240728+git57a869329-0.fc27.noarch

How reproducible:
Always

Steps to Reproduce:
1. ipa-server-install
2. ipa-dns-install --dnssec-master --auto-forwarders --auto-reverse --unattended
3. ipa dnszone-mod $DOMAIN --dnssec=true

Actual results:
AVC denial, ipa-ods-exporter is failing with "socket activation did not return socket with a command", dig isn't reporting RRSIG for the domain.

Expected results:
DNSSEC works

Additional info:
See https://pagure.io/freeipa/issue/7378 for more information

Comment 1 Christian Heimes 2018-01-24 08:56:48 UTC
The AVC denial in my original post was with ``semanage permissive -a opendnssec_t``. Here is a full log:

----
time->Wed Jan 24 09:15:02 2018
type=AVC msg=audit(1516781702.689:1031): avc:  denied  { execute_no_trans } for  pid=104673 comm="sh" path="/usr/sbin/ods-signer" dev="dm-0" ino=180013 scontext=system_u:system_r:opendnssec_t:s0 tcontext=system_u:object_r:opendnssec_exec_t:s0 tclass=file permissive=0
----
time->Wed Jan 24 09:20:46 2018
type=AVC msg=audit(1516782046.828:1126): avc:  denied  { execute_no_trans } for  pid=104865 comm="sh" path="/usr/sbin/ods-signer" dev="dm-0" ino=180013 scontext=system_u:system_r:opendnssec_t:s0 tcontext=system_u:object_r:opendnssec_exec_t:s0 tclass=file permissive=1


ods-signer doesn't have execute_no_trans:

# ls -laZ /usr/sbin/ods-signer
-rwxr-xr-x. 1 root root system_u:object_r:opendnssec_exec_t:s0 416856 Dec 12 19:26 /usr/sbin/ods-signer
# sesearch -s opendnssec_t -t opendnssec_exec_t -c file -p entrypoint -A
allow opendnssec_t opendnssec_exec_t:file { entrypoint execute getattr ioctl lock map open read };

Comment 2 Christian Heimes 2018-01-24 16:45:10 UTC
RHEL 7 has execute_no_trans in the opendnssec_exec_t rule. This is clearly a Fedora bug.

# sesearch -s opendnssec_t -t opendnssec_exec_t -c file -p entrypoint -A                                                                                                                                                
Found 1 semantic av rules:                                                                                                                                                                                                                   
   allow opendnssec_t opendnssec_exec_t : file { ioctl read getattr lock execute execute_no_trans entrypoint open } ; 

# rpm -qa selinux-policy-targeted
selinux-policy-targeted-3.13.1-186.el7.noarch

Comment 3 Alexander Bokovoy 2018-01-29 14:04:26 UTC
Lukas, any progress on this? DNSSEC cannot be used with FreeIPA until this fixed.

Comment 4 Christian Heimes 2018-01-30 14:04:29 UTC
Lukas, I opened https://github.com/fedora-selinux/selinux-policy-contrib/pull/48

Comment 5 Lukas Vrabec 2018-01-30 14:23:45 UTC
Hi, 

Thanks for help. Merged and backported to Fedora 27. 

Lukas,

Comment 6 Fedora Update System 2018-01-30 16:40:35 UTC
selinux-policy-3.13.1-283.24.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a144eca5a8

Comment 7 Fedora Update System 2018-01-31 22:44:36 UTC
selinux-policy-3.13.1-283.24.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a144eca5a8

Comment 8 Fedora Update System 2018-02-06 15:31:04 UTC
selinux-policy-3.13.1-283.24.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.