Bug 1572647 - BIND is not able to write into home
Summary: BIND is not able to write into home
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.6
Hardware: Unspecified
OS: Linux
medium
high
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
: 1599705 1615453 (view as bug list)
Depends On:
Blocks: 1315821 1452091 named_writable_home 1574003 1633158 1653106
TreeView+ depends on / blocked
 
Reported: 2018-04-27 13:55 UTC by Petr Menšík
Modified: 2019-02-28 10:01 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1574003 1633158 (view as bug list)
Environment:
Last Closed: 2019-02-28 10:01:23 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1569466 None CLOSED named: /var/named does not allow writing temporary files by daemon 2019-09-25 18:27:58 UTC

Internal Links: 1569466

Description Petr Menšík 2018-04-27 13:55:07 UTC
Description of problem:
/var/named is not writeable unless named_write_master_zones is set. /var/named should have type named_cache_t instead of named_zone_t.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-192.el7.noarch

Additional info:

Traditionally our configuration did not allow bind writing into default home /var/named. This is protected also by selinux policy. Special subdirectories for writing are created: /var/named/{data,dynamic,slaves}.

Policy allows named_exec_t binary (named) to write only to named_cache_t. Writing to named_zone_t is possible only when setsetbool named_write_master_zones on is called.

For some reason this is already automatically exploited by bind-dyndb-ldap package, which sets named_write_master_zones on installation and disables on uninstallation. I think this requires /var/named/dyndb-ldap to be named_cache_t instead.

It is common to maintain DNSSEC signatures also in master zones from BIND. Static zones that are never modified by daemon are no longer dominant. I think writeable /var/named should be enabled by default. In that case named_write_master_zones would be obsolete and named_cache_t should be used instead of named_zone_t for whole /var/named, where named_zone_t were used before.

It block simple solution of bug #1315821, bug #1452091 and bug #1569466.

[1] https://bugs.isc.org/Public/Bug/Display.html?id=46242

Comment 2 Petr Menšík 2018-04-27 14:09:38 UTC
I think it would be sufficient to leave protection of non-writeable zones to unix rights. Because dac_override is not granted, it should be secure enough. Product security agreed with that.

Comment 3 Petr Menšík 2018-05-21 14:13:09 UTC
Could be default of sebool named_write_master_zones changed to on still in rhel-7.6? I have blocked three bugs on this change.

Comment 5 Lukas Vrabec 2018-07-18 11:17:46 UTC
*** Bug 1599705 has been marked as a duplicate of this bug. ***

Comment 6 Lukas Vrabec 2018-08-20 18:27:25 UTC
*** Bug 1615453 has been marked as a duplicate of this bug. ***

Comment 7 Petr Menšík 2018-09-26 10:11:08 UTC
We have discussed this issue after discovery of some flaws of post install boolean setting. We agreed it would stay using boolean in RHEL7, because it is difficult to get back to default value once it was ever changed. It is not possible to detect whether it was changed by the rpm or a system administrator. Until that changes it is not possible to rely on default settings on upgrades.

Default would be changed on RHEL8.


Note You need to log in before you can comment on or make changes to this bug.