Bug 1707910 - SELinux is preventing bind from writing temporary files to /var/named
Summary: SELinux is preventing bind from writing temporary files to /var/named
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 29
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-05-08 16:43 UTC by James Ralston
Modified: 2019-05-16 21:03 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-05-15 13:19:42 UTC


Attachments (Terms of Use)

Description James Ralston 2019-05-08 16:43:55 UTC
Description of problem:

Recent versions of bind have added a new behavior of creating temporary files in the /var/named directory, which SELinux blocks.

If I place named_t in permissive mode, this is what I see:

$ ausearch -m avc -ts today
----
time->Wed May  8 09:29:09 2019
type=AVC msg=audit(1557322149.675:2047): avc:  denied  { write } for  pid=1216 comm="isc-worker0002" name="named" dev="dm-0" ino=319349 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir permissive=1
----
time->Wed May  8 09:29:09 2019
type=AVC msg=audit(1557322149.680:2048): avc:  denied  { add_name } for  pid=1216 comm="isc-worker0002" name="tmp-fWgY3GyjCy" scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir permissive=1
----
time->Wed May  8 09:29:09 2019
type=AVC msg=audit(1557322149.680:2049): avc:  denied  { create } for  pid=1216 comm="isc-worker0002" name="tmp-fWgY3GyjCy" scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=file permissive=1
----
time->Wed May  8 09:29:09 2019
type=AVC msg=audit(1557322149.680:2050): avc:  denied  { write } for  pid=1216 comm="isc-worker0002" path="/var/named/tmp-fWgY3GyjCy" dev="dm-0" ino=1683368 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=file permissive=1
----
time->Wed May  8 09:29:09 2019
type=AVC msg=audit(1557322149.680:2051): avc:  denied  { remove_name } for  pid=1216 comm="isc-worker0002" name="tmp-fWgY3GyjCy" dev="dm-0" ino=1683368 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir permissive=1
----
time->Wed May  8 09:29:09 2019
type=AVC msg=audit(1557322149.680:2052): avc:  denied  { unlink } for  pid=1216 comm="isc-worker0002" name="tmp-fWgY3GyjCy" dev="dm-0" ino=1683368 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=file permissive=1

$ find /var -inum 319349
/var/named

If I pipe the output of ausearch to audit2allow, I am told:

#============= named_t ==============

#!!!! This avc can be allowed using the boolean 'named_write_master_zones'
allow named_t named_zone_t:dir { add_name remove_name write };

#!!!! This avc can be allowed using the boolean 'named_write_master_zones'
allow named_t named_zone_t:file { create unlink write };

But this is wrong. I'm not running named in a DDNS configuration; the master zones I have named configured to serve are static and do not change. I should not need to set this SELinux boolean in order to prevent SELinux from blocking named from writing its temporary files.

Version-Release number of selected component (if applicable):

$ rpm -q bind selinux-policy-targeted
bind-9.11.6-2.P1.fc29.x86_64
selinux-policy-targeted-3.14.2-57.fc29.noarch

How reproducible:

Install and configure named to serve some static zones.

Actual results:

SELinux will prevent named from writing temporary files in /var/named.

Expected results:

SELinux should not prevent named from writing temporary files in /var/named.

Comment 1 Lukas Vrabec 2019-05-15 13:19:42 UTC
Unfortunately named moved the tmp files to /var/named instead of to /tmp. Because of this change, we cannot easily distinguish between zones and tmp files. Please allow boolean to make this working. 

Thanks,
Lukas.

Comment 2 James Ralston 2019-05-15 18:50:36 UTC
I filed an upstream issue to have named create temporary files in a dedicated tmp directory (/tmp or, say, /var/named/tmp) instead of directly in /var/named:

https://gitlab.isc.org/isc-projects/bind9/issues/1033

Comment 3 Lukas Vrabec 2019-05-16 21:03:01 UTC
Thanks James.


Note You need to log in before you can comment on or make changes to this bug.