Bug 1572374 - [RHEL7] SELinux AVC when creating zones in BIND using rndc
Summary: [RHEL7] SELinux AVC when creating zones in BIND using rndc
Keywords:
Status: CLOSED DUPLICATE of bug 1315821
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: bind
Version: 7.4
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Petr Menšík
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-26 20:57 UTC by Rodrigo A B Freire
Modified: 2018-04-27 09:19 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-27 09:19:57 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3425391 0 None None None 2018-04-26 23:09:07 UTC

Description Rodrigo A B Freire 2018-04-26 20:57:58 UTC
Description of problem:
Unable to create dynamic zones using RHEL7 ISC BIND - Will fail with AVC

Version-Release number of selected component (if applicable):
bind-9.9.4-51.el7.x86_64

How reproducible:
100% / always

Steps to Reproduce:
1. Configure your DNS server with allow-new-zones yes;
2. From a client using rndc, create a new zone
   (see: https://jpmens.net/2010/10/04/dynamically-add-zones-to-bind-with-rndc-addzone/)

Actual results:
Zone creation fails with AVC

Expected results:
Zone should be created.

Additional info:
With setenforce 0, it is possible to create the zone.

Impacts directly the usage of DNSaaS / Designate from OpenStack.

Comment 1 Rodrigo A B Freire 2018-04-26 21:00:19 UTC
Evidences:

[root@aa10-dns1 ~]# strace -fxvvtp 11191 -e trace=file
strace: Process 11191 attached with 5 threads
[pid 11192] 20:50:09 open("3bf305731dd26307.nzf", O_WRONLY|O_CREAT|O_APPEND, 0666) = -1 EACCES (Permission denied)
[pid 11193] 20:50:24 open("3bf305731dd26307.nzf", O_WRONLY|O_CREAT|O_APPEND, 0666) = -1 EACCES (Permission denied)
^Cstrace: Process 11191 detached


Setenforce 0:

[root@aa10-dns1 ~]# strace -fxvvtp 11191 -e trace=file
strace: Process 11191 attached with 5 threads
[pid 11192] 20:51:10 open("3bf305731dd26307.nzf", O_WRONLY|O_CREAT|O_APPEND, 0666) = 6
[pid 11192] 20:51:10 stat("slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608", 0x7fc073e05e60) = -1 ENOENT (No such file or directory)
[pid 11192] 20:51:10 stat("slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608", 0x7fc073e05e60) = -1 ENOENT (No such file or directory)
[pid 11193] 20:51:10 unlink("slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608.jnl") = -1 ENOENT (No such file or directory)
[pid 11193] 20:51:10 utimes("slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608.jnl", [{1524775870, 210100}, {1524775870, 210100}]) = -1 ENOENT (No such file or directory)
[pid 11193] 20:51:10 utimes("slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608", [{1524775870, 210100}, {1524775870, 210100}]) = -1 ENOENT (No such file or directory)
[pid 11193] 20:51:10 open("tmp-nlYDnGr8pf", O_RDWR|O_CREAT|O_EXCL, 0666) = 6
[pid 11193] 20:51:10 rename("tmp-nlYDnGr8pf", "slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608") = 0
[pid 11193] 20:51:10 open("slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608.jnl", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid 11193] 20:51:10 open("slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608.jbk", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid 11193] 20:51:15 utimes("slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608.jnl", [{1524775875, 194897}, {1524775875, 194897}]) = -1 ENOENT (No such file or directory)
[pid 11193] 20:51:15 utimes("slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608", [{1524775875, 194897}, {1524775875, 194897}]) = 0
^Cstrace: Process 11191 detached


SELinux context: 
[root@aa10-dns1 named]# ls -Za /var/named
drwxrwx---. root  named system_u:object_r:named_zone_t:s0 .
drwxr-xr-x. root  root  system_u:object_r:var_t:s0       ..
-rw-r--r--. named named system_u:object_r:named_zone_t:s0 3bf305731dd26307.nzf
drwxrwx---. named named system_u:object_r:named_cache_t:s0 data
drwxrwx---. named named system_u:object_r:named_cache_t:s0 dynamic
-rw-r-----. root  named system_u:object_r:named_conf_t:s0 named.ca
-rw-r-----. root  named system_u:object_r:named_zone_t:s0 named.empty
-rw-r-----. root  named system_u:object_r:named_zone_t:s0 named.localhost
-rw-r-----. root  named system_u:object_r:named_zone_t:s0 named.loopback
-rw-r--r--. named named system_u:object_r:named_zone_t:s0 slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608
drwxrwx---. named named system_u:object_r:named_cache_t:s0 slaves

Audit AVCs:
type=AVC msg=audit(1524775824.567:94): avc:  denied  { write } for  pid=11191 comm="named" name="named" dev="dm-0" ino=2359494 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
type=AVC msg=audit(1524775839.754:95): avc:  denied  { write } for  pid=11191 comm="named" name="named" dev="dm-0" ino=2359494 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
type=AVC msg=audit(1524775854.936:96): avc:  denied  { write } for  pid=11191 comm="named" name="named" dev="dm-0" ino=2359494 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
type=AVC msg=audit(1524775870.116:98): avc:  denied  { write } for  pid=11191 comm="named" name="named" dev="dm-0" ino=2359494 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
type=AVC msg=audit(1524775870.116:98): avc:  denied  { add_name } for  pid=11191 comm="named" name="3bf305731dd26307.nzf" scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
type=AVC msg=audit(1524775870.116:98): avc:  denied  { create } for  pid=11191 comm="named" name="3bf305731dd26307.nzf" scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=file
type=AVC msg=audit(1524775870.116:98): avc:  denied  { append } for  pid=11191 comm="named" path="/var/named/3bf305731dd26307.nzf" dev="dm-0" ino=2359658 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=file
type=AVC msg=audit(1524775870.210:99): avc:  denied  { write } for  pid=11191 comm="named" path="/var/named/tmp-nlYDnGr8pf" dev="dm-0" ino=2359454 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=file
type=AVC msg=audit(1524775870.211:100): avc:  denied  { remove_name } for  pid=11191 comm="named" name="tmp-nlYDnGr8pf" dev="dm-0" ino=2359454 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
type=AVC msg=audit(1524775870.211:100): avc:  denied  { rename } for  pid=11191 comm="named" name="tmp-nlYDnGr8pf" dev="dm-0" ino=2359454 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=file
type=AVC msg=audit(1524775875.194:101): avc:  denied  { setattr } for  pid=11191 comm="named" name="slave.openstack.rf01.co.4fb97c3b-d5f9-41ca-85d2-79ef97e81608" dev="dm-0" ino=2359454 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=file

Comment 2 Ben Nemec 2018-04-26 21:23:16 UTC
I believe the fix for this is to do "sudo setsebool named_write_master_zones 1" when deploying BIND in an environment where you want it to create dynamic zones.  I don't think this actually blocks https://bugzilla.redhat.com/show_bug.cgi?id=1374002 because puppet is already taking care of that for us.

Comment 3 Rodrigo A B Freire 2018-04-26 22:53:34 UTC
Hi Ben,

I can confirm that setsebool named_write_master_zones 1 resolves this issue. I'm removing the blocker from the Designate tracker.

@Assignee,

Is it desired to have it enabled only on-demand?

Honestly, I think that it can cause unneeded customer frustration and possible influx of support tickets.

Comment 4 Rodrigo A B Freire 2018-04-26 23:54:00 UTC
As a side note,

If you don't chmod g+w /var/named it will not work either.

Comment 5 Petr Menšík 2018-04-27 09:19:57 UTC
This issue is already tracked in bug #1315821. I would like to change default to accept writing into home directory for more reasons.

*** This bug has been marked as a duplicate of bug 1315821 ***


Note You need to log in before you can comment on or make changes to this bug.