Bug 1852378
| Summary: | Daemons cannot send DBus messages to systemd-resolved | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Renaud Métrich <rmetrich> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 8.2 | CC: | fperalta, fschwarz, lvrabec, mmalik, plautrba, ssekidde |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 8.3 | Flags: | pm-rhel:
mirror+
|
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-04 01:56:46 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Following rule should be safe: systemd_dbus_chat_resolved(nsswitch_domain) rhsmcertd_t is not part of nsswitch_domain and requires this also. So maybe in the end we should had this instead: systemd_dbus_chat_resolved(domain) ? # grep resolve /etc/nsswitch.conf hosts: resolve sss files dns myhostname # semanage permissive -l Builtin Permissive Types Customized Permissive Types systemd_resolved_t # After rebooting my RHEL-8.3 VM I got this: # ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today | audit2allow The disp_qos option is deprecated - line 15 The dispatcher option is deprecated - line 16 #============= chronyd_t ============== allow chronyd_t systemd_resolved_t:dbus send_msg; #============= cockpit_ws_t ============== allow cockpit_ws_t systemd_resolved_t:dbus send_msg; #============= cyrus_t ============== allow cyrus_t systemd_resolved_t:dbus send_msg; #============= dovecot_t ============== allow dovecot_t systemd_resolved_t:dbus send_msg; #============= httpd_t ============== allow httpd_t systemd_resolved_t:dbus send_msg; #============= keepalived_t ============== allow keepalived_t systemd_resolved_t:dbus send_msg; #============= kpropd_t ============== allow kpropd_t systemd_resolved_t:dbus send_msg; #============= lldpad_t ============== allow lldpad_t systemd_resolved_t:dbus send_msg; #============= mailman_mail_t ============== allow mailman_mail_t systemd_resolved_t:dbus send_msg; #============= nslcd_t ============== allow nslcd_t systemd_resolved_t:dbus send_msg; #============= pegasus_t ============== allow pegasus_t systemd_resolved_t:dbus send_msg; #============= postfix_master_t ============== allow postfix_master_t systemd_resolved_t:dbus send_msg; #============= postfix_pickup_t ============== allow postfix_pickup_t systemd_resolved_t:dbus send_msg; #============= postfix_qmgr_t ============== allow postfix_qmgr_t systemd_resolved_t:dbus send_msg; #============= postgresql_t ============== allow postgresql_t systemd_resolved_t:dbus send_msg; #============= setroubleshootd_t ============== allow setroubleshootd_t systemd_resolved_t:dbus send_msg; #============= slapd_t ============== allow slapd_t systemd_resolved_t:dbus send_msg; #============= slpd_t ============== allow slpd_t systemd_resolved_t:dbus send_msg; #============= snmpd_t ============== allow snmpd_t systemd_resolved_t:dbus send_msg; #============= spamc_t ============== allow spamc_t systemd_resolved_t:dbus send_msg; #============= spamd_t ============== allow spamd_t systemd_resolved_t:dbus send_msg; #============= squid_t ============== allow squid_t systemd_resolved_t:dbus send_msg; #============= systemd_resolved_t ============== allow systemd_resolved_t cluster_t:dbus send_msg; #============= systemd_timedated_t ============== allow systemd_timedated_t systemd_resolved_t:dbus send_msg; #============= vhostmd_t ============== allow vhostmd_t systemd_resolved_t:dbus send_msg; Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4528 *** Bug 1867577 has been marked as a duplicate of this bug. *** |
Description of problem: When systemd-resolved is used to resolve hostnames, daemons such as sshd, rsyslogd, etc communicates with systemd-resolved using DBus. Currently this communication is not allowed by SELinux (back and forth). Version-Release number of selected component (if applicable): selinux-policy-3.14.3-41.el8_2.4.noarch How reproducible: Always Steps to Reproduce: 1. Configure /etc/nsswitch.conf to use systemd-resolved (add "resolve" entry) hosts: files resolve dns myhostname 2. Configure a service to use DNS Example with rsyslogd: /etc/rsyslog.conf: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- action(type="omfwd" queue.filename="fwdRule1" # unique name prefix for spool files queue.maxdiskspace="1g" # 1gb space limit (use as much as possible) queue.saveonshutdown="on" # save messages to disk on shutdown queue.type="LinkedList" # run asynchronously action.resumeRetryCount="-1" # infinite retries if host is down Target="remote_host" Port="514" Protocol="tcp") -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- # systemctl restart rsyslog Example with sshd: /etc/ssh/sshd_config: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- UseDNS yes -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- # systemctl restart sshd 3. Check the USER_AVCs # ausearch -m avc,user_avc -ts recent | audit2allow Actual results: #============= sshd_t ============== allow sshd_t systemd_resolved_t:dbus send_msg; #============= syslogd_t ============== allow syslogd_t systemd_resolved_t:dbus send_msg; #============= systemd_resolved_t ============== allow systemd_resolved_t rpm_t:dbus send_msg; allow systemd_resolved_t sshd_t:dbus send_msg; Expected results: No AVC Additional info: This affects every confined domain performing a gethostby*, including rpm_script_t, rpm_t, etc. The policy must be loosen to allow all this.