Bug 1574003 - BIND is not able to write into /var/named
Summary: BIND is not able to write into /var/named
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 1572647 1633158
Blocks: 1573998 1422680 1580388 1580389 1639410
TreeView+ depends on / blocked
 
Reported: 2018-05-02 16:26 UTC by Petr Menšík
Modified: 2018-10-15 20:30 UTC (History)
10 users (show)

Fixed In Version: selinux-policy-3.14.3-9.fc30
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1572647
Environment:
Last Closed: 2018-10-15 20:30:41 UTC


Attachments (Terms of Use)

Description Petr Menšík 2018-05-02 16:26:16 UTC
+++ This bug was initially created as a clone of Bug #1572647 +++

Description of problem:
/var/named is not writeable unless named_write_master_zones is set. /var/named should have type named_cache_t instead of named_zone_t.

Version-Release number of selected component (if applicable):
selinux-policy-3.14.1-21.fc28.noarch

Additional info:

Traditionally our configuration did not allow bind writing into default home /var/named. This is protected also by selinux policy. Special subdirectories for writing are created: /var/named/{data,dynamic,slaves}.

Policy allows named_exec_t binary (named) to write only to named_cache_t. Writing to named_zone_t is possible only when setsetbool named_write_master_zones on is called.

For some reason this is already automatically exploited by bind-dyndb-ldap package, which sets named_write_master_zones on installation and disables on uninstallation. I think this requires /var/named/dyndb-ldap to be named_cache_t instead.

It is common to maintain DNSSEC signatures also in master zones from BIND. Static zones that are never modified by daemon are no longer dominant. I think writeable /var/named should be enabled by default. In that case named_write_master_zones would be obsolete and named_cache_t should be used instead of named_zone_t for whole /var/named, where named_zone_t were used before.

Block bug #1422680

[1] https://bugs.isc.org/Public/Bug/Display.html?id=46242

--- Additional comment from Petr Menšík on 2018-04-27 16:09:38 CEST ---

I think it would be sufficient to leave protection of non-writeable zones to unix rights. Because dac_override is not granted, it should be secure enough. Product security agreed with that.

Comment 1 Lukas Vrabec 2018-10-15 16:11:54 UTC
commit f0c5a683216a296b2944f9274cafc5b223205f0c
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Fri Oct 12 16:11:54 2018 +0200

    Turn named_write_master_zones boolean on by default.


Note You need to log in before you can comment on or make changes to this bug.