Description of problem: SELinux policy prevents using the Netfilter IP set feature of dnsmasq. Version-Release number of selected component (if applicable): dnsmasq-2.80-7.fc30 How reproducible: Always. Steps to Reproduce: 1. Add a domain which should be added to an IP set using the dnsmasq config, e.g. `ipset=/getfedora.org/myipset` 2. Start dnsmasq using systemd Actual results: dnsmasq fails to start. Expected results: dnsmasq should start. Additional info: # systemctl status dnsmasq ● dnsmasq.service - DNS caching server. Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Sat 2019-08-17 14:15:13 CEST; 4s ago Process: 30703 ExecStart=/usr/sbin/dnsmasq -k (code=exited, status=5) Main PID: 30703 (code=exited, status=5) Aug 17 14:15:13 myhost.local systemd[1]: Started DNS caching server.. Aug 17 14:15:13 myhost.local dnsmasq[30703]: dnsmasq: failed to create IPset control socket: Permission denied Aug 17 14:15:13 myhost.local dnsmasq[30703]: failed to create IPset control socket: Permission denied Aug 17 14:15:13 myhost.local dnsmasq[30703]: FAILED to start up Aug 17 14:15:13 myhost.local systemd[1]: dnsmasq.service: Main process exited, code=exited, status=5/NOTINSTALLED Aug 17 14:15:13 myhost.local systemd[1]: dnsmasq.service: Failed with result 'exit-code'. # grep dnsmasq /var/log/audit/audit.log | audit2why type=AVC msg=audit(1566044113.657:78809): avc: denied { create } for pid=30703 comm="dnsmasq" scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:system_r:dnsmasq_t:s0 tclass=netlink_netfilter_socket permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access.
This problem persists on dnsmasq-2.80-9.fc30.
Ok, correct. Use of ipset is prevented. type=AVC msg=audit(1571655143.214:482): avc: denied { create } for pid=26516 comm="dnsmasq" scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:system_r:dnsmasq_t:s0 tclass=netlink_netfilter_socket permissive=0 it fails to create socket ipset_sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER) in src/ipset.c [1]. To reproduce this issue, just: 1. ipset create myipset hash:ip 2. echo 'ipset=/getfedora.org/myipset' > /etc/dnsmasq.d/ipset.conf 3. systemctl restart dnsmasq With permissive: type=AVC msg=audit(1571657074.776:522): avc: denied { bind } for pid=28242 comm="dnsmasq" scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:system_r:dnsmasq_t:s0 tclass=netlink_netfilter_socket permissive=1 Hash: dnsmasq,dnsmasq_t,dnsmasq_t,netlink_netfilter_socket,bind type=AVC msg=audit(1571657074.776:521): avc: denied { create } for pid=28242 comm="dnsmasq" scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:system_r:dnsmasq_t:s0 tclass=netlink_netfilter_socket permissive=1 Hash: dnsmasq,dnsmasq_t,dnsmasq_t,netlink_netfilter_socket,create 1. http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=src/ipset.c;h=7b97ea83eddd92b3ed3abbaa5137b168c1c05bc4;hb=HEAD#l110
I think there is little I can do about this in dnsmasq. Since this feature is not usually used, it might help to use just selinux boolean to enable access to these features. Lukas, would it make sense to add boolean dnsmasq_ipset? Should this privilege be added to normal dnsmasq_t always? Anyway, I think this decision is up to selinux-policy maintainers. Since dnsmasq is not well-tested for security features, I would vote for extra boolean turned on only when required. Switching to selinux-policy.
commit e4a06510f4d215024b6e0fd8617fe83d4a14fa73 (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Patrik Koncity <pkoncity> Date: Tue Oct 29 14:47:39 2019 +0100 Created dnsmasq_use_ipset boolean Created boolean to allow the dnsmasq_t domain to creating and using netlink_sockets. Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1742895
FEDORA-2019-e9d8868185 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-e9d8868185
selinux-policy-3.14.3-53.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-e9d8868185
container-selinux-2.123.0-2.fc30, selinux-policy-3.14.3-53.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-e9d8868185
container-selinux-2.123.0-2.fc30, selinux-policy-3.14.3-53.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.