1572647 – BIND is not able to write into home

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1572647 - BIND is not able to write into home

Summary: BIND is not able to write into home

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.6
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	1599705 1615453 (view as bug list)
Depends On:
Blocks:	1315821 1452091 named_writable_home 1574003 1633158 1653106
TreeView+	depends on / blocked

Reported:	2018-04-27 13:55 UTC by Petr Menšík
Modified:	2019-02-28 10:01 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1574003 1633158 (view as bug list)
Environment:
Last Closed:	2019-02-28 10:01:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1569466	0	urgent	CLOSED	named: /var/named does not allow writing temporary files by daemon	2021-02-22 00:41:40 UTC

Internal Links: 1569466

Description Petr Menšík 2018-04-27 13:55:07 UTC

Description of problem:
/var/named is not writeable unless named_write_master_zones is set. /var/named should have type named_cache_t instead of named_zone_t.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-192.el7.noarch

Additional info:

Traditionally our configuration did not allow bind writing into default home /var/named. This is protected also by selinux policy. Special subdirectories for writing are created: /var/named/{data,dynamic,slaves}.

Policy allows named_exec_t binary (named) to write only to named_cache_t. Writing to named_zone_t is possible only when setsetbool named_write_master_zones on is called.

For some reason this is already automatically exploited by bind-dyndb-ldap package, which sets named_write_master_zones on installation and disables on uninstallation. I think this requires /var/named/dyndb-ldap to be named_cache_t instead.

It is common to maintain DNSSEC signatures also in master zones from BIND. Static zones that are never modified by daemon are no longer dominant. I think writeable /var/named should be enabled by default. In that case named_write_master_zones would be obsolete and named_cache_t should be used instead of named_zone_t for whole /var/named, where named_zone_t were used before.

It block simple solution of bug #1315821, bug #1452091 and bug #1569466.

[1] https://bugs.isc.org/Public/Bug/Display.html?id=46242

Comment 2 Petr Menšík 2018-04-27 14:09:38 UTC

I think it would be sufficient to leave protection of non-writeable zones to unix rights. Because dac_override is not granted, it should be secure enough. Product security agreed with that.

Comment 3 Petr Menšík 2018-05-21 14:13:09 UTC

Could be default of sebool named_write_master_zones changed to on still in rhel-7.6? I have blocked three bugs on this change.

Comment 5 Lukas Vrabec 2018-07-18 11:17:46 UTC

*** Bug 1599705 has been marked as a duplicate of this bug. ***

Comment 6 Lukas Vrabec 2018-08-20 18:27:25 UTC

*** Bug 1615453 has been marked as a duplicate of this bug. ***

Comment 7 Petr Menšík 2018-09-26 10:11:08 UTC

We have discussed this issue after discovery of some flaws of post install boolean setting. We agreed it would stay using boolean in RHEL7, because it is difficult to get back to default value once it was ever changed. It is not possible to detect whether it was changed by the rpm or a system administrator. Until that changes it is not possible to rely on default settings on upgrades.

Default would be changed on RHEL8.

Note You need to log in before you can comment on or make changes to this bug.