Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1801214

Summary: SELinux prevents pdns_server from mmap()-ing the /usr/share/p11-kit/modules/p11-kit-trust.module file
Product: Red Hat Enterprise Linux 8 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.2CC: lvrabec, mmalik, ms, plautrba, ssekidde
Target Milestone: rcKeywords: Triaged
Target Release: 8.3Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 01:56:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milos Malik 2020-02-10 12:42:17 UTC 
Description of problem:

Version-Release number of selected component (if applicable):
pdns-4.2.1-1.el8.x86_64 (comes from EPEL)
selinux-policy-3.14.3-38.el8.noarch
selinux-policy-devel-3.14.3-38.el8.noarch
selinux-policy-targeted-3.14.3-38.el8.noarch

How reproducible:
 * always

Steps to Reproduce:
1. get a RHEL-8.2 machine (targeted policy is active)
2. run following automated TCs:
 * /CoreOS/selinux-policy/Regression/pdns_server-and-similar
3. search for SELinux denials

Actual results (enforcing mode):
----
type=PROCTITLE msg=audit(02/10/2020 07:33:00.081:491) : proctitle=/usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no 
type=MMAP msg=audit(02/10/2020 07:33:00.081:491) : fd=6 flags=MAP_PRIVATE 
type=SYSCALL msg=audit(02/10/2020 07:33:00.081:491) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0x308 a2=PROT_READ a3=MAP_PRIVATE items=0 ppid=1 pid=13698 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=pdns_server exe=/usr/sbin/pdns_server subj=system_u:system_r:pdns_t:s0 key=(null) 
type=AVC msg=audit(02/10/2020 07:33:00.081:491) : avc:  denied  { map } for  pid=13698 comm=pdns_server path=/usr/share/p11-kit/modules/p11-kit-trust.module dev="vda1" ino=4253781 scontext=system_u:system_r:pdns_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0 
----

Expected results:
 * no SELinux denials

Additional info:
# getsebool -a | grep mmap
domain_can_mmap_files --> off
mmap_low_allowed --> off
wine_mmap_zero_ignore --> off
#
Comment 1 Milos Malik 2020-02-10 13:01:00 UTC 
Actual results (permissive mode):
----
type=PROCTITLE msg=audit(02/10/2020 07:59:29.990:508) : proctitle=/usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no 
type=MMAP msg=audit(02/10/2020 07:59:29.990:508) : fd=6 flags=MAP_PRIVATE 
type=SYSCALL msg=audit(02/10/2020 07:59:29.990:508) : arch=x86_64 syscall=mmap success=yes exit=140636530028544 a0=0x0 a1=0x308 a2=PROT_READ a3=MAP_PRIVATE items=0 ppid=1 pid=20006 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=pdns_server exe=/usr/sbin/pdns_server subj=system_u:system_r:pdns_t:s0 key=(null) 
type=AVC msg=audit(02/10/2020 07:59:29.990:508) : avc:  denied  { map } for  pid=20006 comm=pdns_server path=/usr/share/p11-kit/modules/p11-kit-trust.module dev="vda1" ino=4253781 scontext=system_u:system_r:pdns_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 
----
Comment 3 Zdenek Pytela 2020-06-05 16:37:02 UTC 
I've submitted a Fedora PR to address the issue generally:
https://github.com/fedora-selinux/selinux-policy/pull/371

If accepted, we can close these similar bzs as duplicates:
https://bugzilla.redhat.com/show_bug.cgi?id=1801183
https://bugzilla.redhat.com/show_bug.cgi?id=1822532

unless it makes confusion in test cases.
Comment 4 Zdenek Pytela 2020-06-11 17:12:24 UTC 
*** Bug 1801183 has been marked as a duplicate of this bug. ***
Comment 5 Zdenek Pytela 2020-06-11 17:12:30 UTC 
*** Bug 1822532 has been marked as a duplicate of this bug. ***
Comment 14 Zdenek Pytela 2020-06-24 16:10:14 UTC 
Hi,

During testing it turned out pdns_server in the ctrlListen thread requests access to /proc/stat. Is it expected and should we allow it in the policy, or can it be dontaudited (do not allow, do not audit)?

----
type=PROCTITLE msg=audit(06/16/2020 09:32:00.585:154) : proctitle=/usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no 
type=PATH msg=audit(06/16/2020 09:32:00.585:154) : item=0 name=/proc/stat inode=4026531911 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(06/16/2020 09:32:00.585:154) : cwd=/ 
type=SYSCALL msg=audit(06/16/2020 09:32:00.585:154) : arch=ppc64le syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffffffffffff9c a1=0x10113aed8 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=30735 auid=unset uid=pdns gid=pdns euid=pdns suid=pdns fsuid=pdns egid=pdns sgid=pdns fsgid=pdns tty=(none) ses=unset comm=pdns/ctrlListen exe=/usr/sbin/pdns_server subj=system_u:system_r:pdns_t:s0 key=(null) 
type=AVC msg=audit(06/16/2020 09:32:00.585:154) : avc:  denied  { read } for  pid=30735 comm=pdns/ctrlListen name=stat dev="proc" ino=4026531911 scontext=system_u:system_r:pdns_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0 
----
Comment 15 Adrian Reber 2020-06-24 16:15:25 UTC 
I am not sure I am the right person for the needinfo. Not sure how I am involved in this.
Comment 16 Zdenek Pytela 2020-06-24 17:03:24 UTC 
Adrian,

I am sorry for bothering you, got your name from packaging information.

Anyway, moving further:
https://github.com/fedora-selinux/selinux-policy-contrib/pull/281
Comment 26 errata-xmlrpc 2020-11-04 01:56:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4528