Bug 1742895 - dnsmasq fails to start when using IP sets due to SELinux
Summary: dnsmasq fails to start when using IP sets due to SELinux
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 30
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Patrik Koncity
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-08-17 12:23 UTC by Damon
Modified: 2019-12-11 01:32 UTC (History)
14 users (show)

Fixed In Version: selinux-policy-3.14.3-53.fc30
Clone Of:
Environment:
Last Closed: 2019-12-11 01:32:11 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Damon 2019-08-17 12:23:46 UTC
Description of problem: SELinux policy prevents using the Netfilter IP set feature of dnsmasq.


Version-Release number of selected component (if applicable): dnsmasq-2.80-7.fc30


How reproducible: Always.


Steps to Reproduce:
1. Add a domain which should be added to an IP set using the dnsmasq config, e.g. `ipset=/getfedora.org/myipset`
2. Start dnsmasq using systemd

Actual results: dnsmasq fails to start.


Expected results: dnsmasq should start.


Additional info:

# systemctl status dnsmasq
● dnsmasq.service - DNS caching server.
   Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Sat 2019-08-17 14:15:13 CEST; 4s ago
  Process: 30703 ExecStart=/usr/sbin/dnsmasq -k (code=exited, status=5)
 Main PID: 30703 (code=exited, status=5)

Aug 17 14:15:13 myhost.local systemd[1]: Started DNS caching server..
Aug 17 14:15:13 myhost.local dnsmasq[30703]: dnsmasq: failed to create IPset control socket: Permission denied
Aug 17 14:15:13 myhost.local dnsmasq[30703]: failed to create IPset control socket: Permission denied
Aug 17 14:15:13 myhost.local dnsmasq[30703]: FAILED to start up
Aug 17 14:15:13 myhost.local systemd[1]: dnsmasq.service: Main process exited, code=exited, status=5/NOTINSTALLED
Aug 17 14:15:13 myhost.local systemd[1]: dnsmasq.service: Failed with result 'exit-code'.

# grep dnsmasq /var/log/audit/audit.log | audit2why
type=AVC msg=audit(1566044113.657:78809): avc:  denied  { create } for  pid=30703 comm="dnsmasq" scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:system_r:dnsmasq_t:s0 tclass=netlink_netfilter_socket permissive=0

        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

Comment 1 Damon 2019-08-26 07:00:08 UTC
This problem persists on dnsmasq-2.80-9.fc30.

Comment 2 Petr Menšík 2019-10-21 11:29:06 UTC
Ok, correct. Use of ipset  is prevented.

type=AVC msg=audit(1571655143.214:482): avc:  denied  { create } for  pid=26516 comm="dnsmasq" scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:system_r:dnsmasq_t:s0 tclass=netlink_netfilter_socket permissive=0

it fails to create socket ipset_sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER) in src/ipset.c [1].

To reproduce this issue, just:
1. ipset create myipset hash:ip
2. echo 'ipset=/getfedora.org/myipset' > /etc/dnsmasq.d/ipset.conf
3. systemctl restart dnsmasq

With permissive:
type=AVC msg=audit(1571657074.776:522): avc:  denied  { bind } for  pid=28242 comm="dnsmasq" scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:system_r:dnsmasq_t:s0 tclass=netlink_netfilter_socket permissive=1


Hash: dnsmasq,dnsmasq_t,dnsmasq_t,netlink_netfilter_socket,bind

type=AVC msg=audit(1571657074.776:521): avc:  denied  { create } for  pid=28242 comm="dnsmasq" scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:system_r:dnsmasq_t:s0 tclass=netlink_netfilter_socket permissive=1


Hash: dnsmasq,dnsmasq_t,dnsmasq_t,netlink_netfilter_socket,create

1. http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=src/ipset.c;h=7b97ea83eddd92b3ed3abbaa5137b168c1c05bc4;hb=HEAD#l110

Comment 3 Petr Menšík 2019-10-21 11:39:55 UTC
I think there is little I can do about this in dnsmasq. Since this feature is not usually used, it might help to use just selinux boolean to enable access to these features.

Lukas, would it make sense to add boolean dnsmasq_ipset? Should this privilege be added to normal dnsmasq_t always?

Anyway, I think this decision is up to selinux-policy maintainers. Since dnsmasq is not well-tested for security features, I would vote for extra boolean turned on only when required.

Switching to selinux-policy.

Comment 4 Lukas Vrabec 2019-11-01 15:37:40 UTC
commit e4a06510f4d215024b6e0fd8617fe83d4a14fa73 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Patrik Koncity <pkoncity>
Date:   Tue Oct 29 14:47:39 2019 +0100

    Created dnsmasq_use_ipset boolean
    
    Created boolean to allow the dnsmasq_t domain to creating and using netlink_sockets.
    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1742895

Comment 5 Fedora Update System 2019-12-04 07:50:30 UTC
FEDORA-2019-e9d8868185 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-e9d8868185

Comment 6 Fedora Update System 2019-12-05 02:00:52 UTC
selinux-policy-3.14.3-53.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-e9d8868185

Comment 7 Fedora Update System 2019-12-06 19:20:48 UTC
FEDORA-2019-e9d8868185 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-e9d8868185

Comment 8 Fedora Update System 2019-12-07 02:17:55 UTC
container-selinux-2.123.0-2.fc30, selinux-policy-3.14.3-53.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-e9d8868185

Comment 9 Fedora Update System 2019-12-11 01:32:11 UTC
container-selinux-2.123.0-2.fc30, selinux-policy-3.14.3-53.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.