RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1572374 - [RHEL7] SELinux AVC when creating zones in BIND using rndc
Summary: [RHEL7] SELinux AVC when creating zones in BIND using rndc
Keywords:
Status: CLOSED DUPLICATE of bug 1315821
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: bind
Version: 7.4
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Petr Menšík
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-26 20:57 UTC by Rodrigo A B Freire
Modified: 2018-04-27 09:19 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-27 09:19:57 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3425391 0 None None None 2018-04-26 23:09:07 UTC

Description Rodrigo A B Freire 2018-04-26 20:57:58 UTC 
Description of problem:
Unable to create dynamic zones using RHEL7 ISC BIND - Will fail with AVC

Version-Release number of selected component (if applicable):
bind-9.9.4-51.el7.x86_64

How reproducible:
100% / always

Steps to Reproduce:
1. Configure your DNS server with allow-new-zones yes;
2. From a client using rndc, create a new zone
   (see: https://jpmens.net/2010/10/04/dynamically-add-zones-to-bind-with-rndc-addzone/)

Actual results:
Zone creation fails with AVC

Expected results:
Zone should be created.

Additional info:
With setenforce 0, it is possible to create the zone.

Impacts directly the usage of DNSaaS / Designate from OpenStack.
Comment 1 Rodrigo A B Freire 2018-04-26 21:00:19 UTC 
Evidences:

[root@aa10-dns1 ~]# strace -fxvvtp 11191 -e trace=file
strace: Process 11191 attached with 5 threads
[pid 11192] 20:50:09 open("3bf305731dd26307.nzf", O_WRONLY|O_CREAT|O_APPEND, 0666) = -1 EACCES (Permission denied)
[pid 11193] 20:50:24 open("3bf305731dd26307.nzf", O_WRONLY|O_CREAT|O_APPEND, 0666) = -1 EACCES (Permission denied)
^Cstrace: Process 11191 detached


Setenforce 0:

[root@aa10-dns1 ~]# strace -fxvvtp 11191 -e trace=file
strace: Process 11191 attached with 5 threads
[pid 11192] 20:51:10 open("3bf305731dd26307.nzf", O_WRONLY|O_CREAT|O_APPEND, 0666) = 6
[pid 11192] 20:51:10 stat("slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608", 0x7fc073e05e60) = -1 ENOENT (No such file or directory)
[pid 11192] 20:51:10 stat("slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608", 0x7fc073e05e60) = -1 ENOENT (No such file or directory)
[pid 11193] 20:51:10 unlink("slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608.jnl") = -1 ENOENT (No such file or directory)
[pid 11193] 20:51:10 utimes("slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608.jnl", [{1524775870, 210100}, {1524775870, 210100}]) = -1 ENOENT (No such file or directory)
[pid 11193] 20:51:10 utimes("slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608", [{1524775870, 210100}, {1524775870, 210100}]) = -1 ENOENT (No such file or directory)
[pid 11193] 20:51:10 open("tmp-nlYDnGr8pf", O_RDWR|O_CREAT|O_EXCL, 0666) = 6
[pid 11193] 20:51:10 rename("tmp-nlYDnGr8pf", "slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608") = 0
[pid 11193] 20:51:10 open("slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608.jnl", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid 11193] 20:51:10 open("slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608.jbk", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid 11193] 20:51:15 utimes("slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608.jnl", [{1524775875, 194897}, {1524775875, 194897}]) = -1 ENOENT (No such file or directory)
[pid 11193] 20:51:15 utimes("slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608", [{1524775875, 194897}, {1524775875, 194897}]) = 0
^Cstrace: Process 11191 detached


SELinux context: 
[root@aa10-dns1 named]# ls -Za /var/named
drwxrwx---. root  named system_u:object_r:named_zone_t:s0 .
drwxr-xr-x. root  root  system_u:object_r:var_t:s0       ..
-rw-r--r--. named named system_u:object_r:named_zone_t:s0 3bf305731dd26307.nzf
drwxrwx---. named named system_u:object_r:named_cache_t:s0 data
drwxrwx---. named named system_u:object_r:named_cache_t:s0 dynamic
-rw-r-----. root  named system_u:object_r:named_conf_t:s0 named.ca
-rw-r-----. root  named system_u:object_r:named_zone_t:s0 named.empty
-rw-r-----. root  named system_u:object_r:named_zone_t:s0 named.localhost
-rw-r-----. root  named system_u:object_r:named_zone_t:s0 named.loopback
-rw-r--r--. named named system_u:object_r:named_zone_t:s0 slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608
drwxrwx---. named named system_u:object_r:named_cache_t:s0 slaves

Audit AVCs:
type=AVC msg=audit(1524775824.567:94): avc:  denied  { write } for  pid=11191 comm="named" name="named" dev="dm-0" ino=2359494 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
type=AVC msg=audit(1524775839.754:95): avc:  denied  { write } for  pid=11191 comm="named" name="named" dev="dm-0" ino=2359494 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
type=AVC msg=audit(1524775854.936:96): avc:  denied  { write } for  pid=11191 comm="named" name="named" dev="dm-0" ino=2359494 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
type=AVC msg=audit(1524775870.116:98): avc:  denied  { write } for  pid=11191 comm="named" name="named" dev="dm-0" ino=2359494 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
type=AVC msg=audit(1524775870.116:98): avc:  denied  { add_name } for  pid=11191 comm="named" name="3bf305731dd26307.nzf" scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
type=AVC msg=audit(1524775870.116:98): avc:  denied  { create } for  pid=11191 comm="named" name="3bf305731dd26307.nzf" scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=file
type=AVC msg=audit(1524775870.116:98): avc:  denied  { append } for  pid=11191 comm="named" path="/var/named/3bf305731dd26307.nzf" dev="dm-0" ino=2359658 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=file
type=AVC msg=audit(1524775870.210:99): avc:  denied  { write } for  pid=11191 comm="named" path="/var/named/tmp-nlYDnGr8pf" dev="dm-0" ino=2359454 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=file
type=AVC msg=audit(1524775870.211:100): avc:  denied  { remove_name } for  pid=11191 comm="named" name="tmp-nlYDnGr8pf" dev="dm-0" ino=2359454 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
type=AVC msg=audit(1524775870.211:100): avc:  denied  { rename } for  pid=11191 comm="named" name="tmp-nlYDnGr8pf" dev="dm-0" ino=2359454 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=file
type=AVC msg=audit(1524775875.194:101): avc:  denied  { setattr } for  pid=11191 comm="named" name="slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608" dev="dm-0" ino=2359454 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=file
Comment 2 Ben Nemec 2018-04-26 21:23:16 UTC 
I believe the fix for this is to do "sudo setsebool named_write_master_zones 1" when deploying BIND in an environment where you want it to create dynamic zones.  I don't think this actually blocks https://bugzilla.redhat.com/show_bug.cgi?id=1374002 because puppet is already taking care of that for us.
Comment 3 Rodrigo A B Freire 2018-04-26 22:53:34 UTC 
Hi Ben,

I can confirm that setsebool named_write_master_zones 1 resolves this issue. I'm removing the blocker from the Designate tracker.

@Assignee,

Is it desired to have it enabled only on-demand?

Honestly, I think that it can cause unneeded customer frustration and possible influx of support tickets.
Comment 4 Rodrigo A B Freire 2018-04-26 23:54:00 UTC 
As a side note,

If you don't chmod g+w /var/named it will not work either.
Comment 5 Petr Menšík 2018-04-27 09:19:57 UTC 
This issue is already tracked in bug #1315821. I would like to change default to accept writing into home directory for more reasons.

*** This bug has been marked as a duplicate of bug 1315821 ***
Note You need to log in before you can comment on or make changes to this bug.