Description of problem: When testing bind-9.16 rebase, systemctl restart named results in failed selinux Version-Release number of selected component (if applicable): bind-9.16.2-1.fc30.x86_64 selinux-policy-3.14.3-56.fc30.noarch selinux-policy-targeted-3.14.3-56.fc30.noarch How reproducible: always Steps to Reproduce: 1. dnf copr enable pemensik/bind-9.16 2. dnf install bind 3. systemctl start bind && systemctl restart bind Actual results: type=AVC msg=audit(04/24/2020 11:31:21.055:40157) : avc: denied { setsched } for pid=23338 comm=rndc scontext=system_u:system_r:ndc_t:s0 tcontext=system_u:system_r:ndc_t:s0 tclass=process permissive=0 Expected results: No error. Additional info: I know bind 9.16 is not yet supported in Fedora, but it should land in Fedora 33. But selinux context handling should be supported when it is ready. Czech details from my machine: Doplňující informace: Kontext zdroje system_u:system_r:ndc_t:s0 Kontext cíle system_u:system_r:ndc_t:s0 Objekty cíle Neznámé [ process ] Zdroj isc-worker0000 Cesta zdroje isc-worker0000 Port <Neznámé> Počítač menpad RPM balíčky zdroje RPM balíčky cíle RPM politiky selinux-policy-3.14.3-56.fc30.noarch Selinux povolen True Typ politiky targeted Vynucovací režim Enforcing Název počítače menpad Platforma Linux menpad 5.4.7-100.fc30.x86_64 #1 SMP Wed Jan 1 01:37:52 UTC 2020 x86_64 x86_64 Počet upozornění 12 Poprvé viděno 2020-04-01 10:52:23 CEST Naposledy viděno 2020-04-24 11:31:21 CEST Místní ID 4162ca18-d5f8-4e09-837f-c4f761e177a2
Petr, This bug has been reported for F30, but with a fresh version of bind which is not expected to be run there if I udnerstand correctly. The reported denial is dontaudited in Fedora 32+. Does rndc require the setsched permission? Do you see any functional problem?
No, it seems to work just nice. I am not yet sure what calls are responsible for it. But it seems to work fine without it. It is just annoying when it is reported. Hiding such reports might be sufficient. I haven't notices it would not work properly.
Petr, You can enable full auditing and disclose additional information with the following steps: 1) Open /etc/audit/rules.d/audit.rules file in an editor. 2) Remove following line if it exists: -a task,never 3) Add following line at the end of the file: -w /etc/shadow -p w 4) Restart the audit daemon: # service auditd restart 5) Re-run your scenario. If you find any denial in F32+, please open a bugzilla. I will close this one if you agree.
This message is a reminder that Fedora 30 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 30 on 2020-05-26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '30'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 30 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 30 changed to end-of-life (EOL) status on 2020-05-26. Fedora 30 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.
Reopening the bug. It happends on each rndc stop when running bind 9.16. Raising severity, as it is now official build. type=AVC msg=audit(01/26/2021 08:14:14.821:684) : avc: denied { setsched } for pid=4125 comm=isc-worker0000 scontext=system_u:system_r:ndc_t:s0 tcontext=system_u:system_r:ndc_t:s0 tclass=process permissive=0 Because bind 9.16 is finally part of official rawhide, it should be solved. I am not sure which part is responsible in rndc, yet it is 100% reliable. Steps to reproduce: - dnf install bind - systemctl start named - rndc stop
Petre, Apart from the denials, do you also see some problem with the service or with how the rndc command works? Note: we are dontauditing setsched for daemons, but ndc_t is not in the daemon attribute.
Merged to Rawhide: commit 2beb4394104c908f4e577930d6d8c17d34ea1060 (HEAD -> rawhide, upstream/rawhide, upstream-rw/rawhide) Author: Zdenek Pytela <zpytela> Date: Wed Feb 3 12:01:30 2021 +0100 Dontaudit setsched for rndc When rndc command is used to stop the named service, rndc calls isc_thread_setaffinity(), but its return value is ignored.
This bug appears to have been reported against 'rawhide' during the Fedora 34 development cycle. Changing version to 34.