1782539 – dnsmasq tftp is not able to read files with SELinux public_content_t context

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1782539 - dnsmasq tftp is not able to read files with SELinux public_content_t context

Summary: dnsmasq tftp is not able to read files with SELinux public_content_t context

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.1
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	8.4
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-12-11 19:52 UTC by Benjamin
Modified:	2021-05-18 14:58 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-05-18 14:57:35 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Benjamin 2019-12-11 19:52:03 UTC

Description of problem:
The tftp server of dnsmasq should be able to access files labeled with the public_content_t as the server from tftp-server is able to.

Version-Release number of selected component (if applicable):
dnsmasq-2.79-6.el8.x86_64

How reproducible:
always

Steps to Reproduce:
1. Create a dnsmasq configuration with the tftp service enabled

For example in /etc/dnsmasq.conf include:
enable-tftp
tftp-root=/tftpboot

2. Label the files in /tftpboot with the public_content_t so they can also be served with other services.

# semanage fcontext -a -t public_content_t "/tftpboot(/.*)?"
# restorecon -R -v /tftpboot

Actual results:
Attempting to fetch a file from a tftp client results in:
dnsmasq-tftp[1075]: cannot access /tftpboot/filename: Permission denied

Expected results:
dnsmasq-tftp[9526]: sent /tftpboot/filename to 1.2.3.4


Additional info:
The same issue also occurs with RHEL7 with dnsmasq-2.76-10.el7_7.1.x86_64

Comment 1 Petr Menšík 2020-03-18 15:20:32 UTC

tftp-server uses different directory  /var/lib/tftpboot

# ls -lZd /var/lib/tftpboot
drwxr-xr-x. root root system_u:object_r:tftpdir_rw_t:s0 /var/lib/tftpboot

dnsmasq does not have any dedicated directory for tftp. I think /var/lib/dnsmasq/<anything> could be used, but dnsmasq directory itself usually contains leases. Which must not be public.
Such directory is served in Fedora by syslinux-tftpboot, where it has type tftpdir_t.

Anyway, why is chosen public_content_t type? Since it was assigned manually, why is not used dnsmasq_lease_t?

Comment 2 Benjamin 2020-04-01 16:09:46 UTC

The files are in /tftpboot (this is a pxe boot server), they are served using dnsmasq's tftp service and through nginx over http. If I label them tftpdir_t, nginx cannot access them. Likewise if I label them httpd_sys_content_t, dnsmasq cannot access them.

Reading httpd_selinux(8) it mentions in the "SHARING FILES" section:
  If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t.

That allows nginx to read the files but dnsmasq is still not able to. I opened this issue since the tftpd daemon in the tftpd-server package can read files labeled public_content_t. It seems if tftpd-server can read them, then dnsmasq tftp should be able to read them as well.

Comment 3 Petr Menšík 2020-04-07 09:23:24 UTC

Ok, you are right, it makes sense to set it to public_content_t, if it should be served also over HTTP. Especially if tftp-server already has such ability, dnsmasq should have it as well. It can provide the same service.

Comment 4 Petr Menšík 2020-04-07 09:31:15 UTC

Hello Selinux team,

I think dnsmasq cannot change allowed context.

Could be file context type dnsmasq_exec_t allowed to read public_content_t?

Comment 5 Milos Malik 2020-04-07 10:20:21 UTC

Caught in enforcing mode:
----
type=PROCTITLE msg=audit(04/07/2020 06:19:29.459:1283) : proctitle=/usr/sbin/dnsmasq -k 
type=PATH msg=audit(04/07/2020 06:19:29.459:1283) : item=0 name=/tftpboot/pokus inode=10620096 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:public_content_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(04/07/2020 06:19:29.459:1283) : cwd=/ 
type=SYSCALL msg=audit(04/07/2020 06:19:29.459:1283) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x56165c67f700 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=130280 auid=unset uid=dnsmasq gid=dnsmasq euid=dnsmasq suid=dnsmasq fsuid=dnsmasq egid=dnsmasq sgid=dnsmasq fsgid=dnsmasq tty=(none) ses=unset comm=dnsmasq exe=/usr/sbin/dnsmasq subj=system_u:system_r:dnsmasq_t:s0 key=(null) 
type=AVC msg=audit(04/07/2020 06:19:29.459:1283) : avc:  denied  { read } for  pid=130280 comm=dnsmasq name=pokus dev="vda1" ino=10620096 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:public_content_t:s0 tclass=file permissive=0 
----

Comment 6 Milos Malik 2020-04-07 10:30:18 UTC

Caught in permissive mode:
----
type=PROCTITLE msg=audit(04/07/2020 06:28:21.429:1288) : proctitle=/usr/sbin/dnsmasq -k 
type=PATH msg=audit(04/07/2020 06:28:21.429:1288) : item=0 name=/tftpboot/pokus inode=10620096 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:public_content_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(04/07/2020 06:28:21.429:1288) : cwd=/ 
type=SYSCALL msg=audit(04/07/2020 06:28:21.429:1288) : arch=x86_64 syscall=openat success=yes exit=17 a0=0xffffff9c a1=0x56165c67f700 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=130280 auid=unset uid=dnsmasq gid=dnsmasq euid=dnsmasq suid=dnsmasq fsuid=dnsmasq egid=dnsmasq sgid=dnsmasq fsgid=dnsmasq tty=(none) ses=unset comm=dnsmasq exe=/usr/sbin/dnsmasq subj=system_u:system_r:dnsmasq_t:s0 key=(null) 
type=AVC msg=audit(04/07/2020 06:28:21.429:1288) : avc:  denied  { open } for  pid=130280 comm=dnsmasq path=/tftpboot/pokus dev="vda1" ino=10620096 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:public_content_t:s0 tclass=file permissive=1 
type=AVC msg=audit(04/07/2020 06:28:21.429:1288) : avc:  denied  { read } for  pid=130280 comm=dnsmasq name=pokus dev="vda1" ino=10620096 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:public_content_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(04/07/2020 06:28:21.429:1289) : proctitle=/usr/sbin/dnsmasq -k 
type=SYSCALL msg=audit(04/07/2020 06:28:21.429:1289) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x11 a1=0x7ffe0f35c980 a2=0x7ffe0f35c980 a3=0x0 items=0 ppid=1 pid=130280 auid=unset uid=dnsmasq gid=dnsmasq euid=dnsmasq suid=dnsmasq fsuid=dnsmasq egid=dnsmasq sgid=dnsmasq fsgid=dnsmasq tty=(none) ses=unset comm=dnsmasq exe=/usr/sbin/dnsmasq subj=system_u:system_r:dnsmasq_t:s0 key=(null) 
type=AVC msg=audit(04/07/2020 06:28:21.429:1289) : avc:  denied  { getattr } for  pid=130280 comm=dnsmasq path=/tftpboot/pokus dev="vda1" ino=10620096 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:public_content_t:s0 tclass=file permissive=1 
----

Comment 7 Milos Malik 2020-04-07 11:02:11 UTC

Simplified reproducer:

# yum -y -q install tftp dnsmasq
# mkdir -p /tftpboot
# touch /tftpboot/pokus
# semanage fcontext -a -t public_content_t "/tftpboot(/.*)?"
# restorecon -RvF /tftpboot
# grep tftp /etc/dnsmasq.conf | grep -v ^#
enable-tftp
tftp-root=/tftpboot
# service dnsmasq start
# tftp localhost -c get pokus
Error code 2: cannot access /tftpboot/pokus: Permission denied
#

Hopefully, I didn't forget some important step.

Comment 9 Zdenek Pytela 2020-04-07 12:23:11 UTC

Allowing the access seems to be one of the options.

Comment 13 Zdenek Pytela 2020-11-16 20:43:08 UTC

I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy-contrib/pull/367

Comment 21 errata-xmlrpc 2021-05-18 14:57:35 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1639

Note You need to log in before you can comment on or make changes to this bug.