Bug 186258 - start of caching name server triggers selinux errors
start of caching name server triggers selinux errors
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks: 181409
  Show dependency treegraph
 
Reported: 2006-03-22 11:13 EST by Peter Bieringer
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version: RHBA-2006-0373
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-08-10 17:20:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Peter Bieringer 2006-03-22 11:13:14 EST
Description of problem:
after upgrade to RHEL4U3 (from RHEL3U6) not expected selinux messages appear
(system was relabled after upgrade).

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.126
bind-9.2.4-2
caching-nameserver-7.3-3




How reproducible:
every time after
# service named restart


Steps to Reproduce:
1. install named as caching nameserver
2. start named
  
Actual results:


Mar 22 17:16:10 host audit(1143044170.693:8): avc:  denied  { read } for 
pid=4647 comm="named" name="cert.pem" dev=md1 ino=224719
scontext=root:system_r:named_t tcontext=system_u:object_r:usr_t tclass=lnk_file
Mar 22 17:16:10 host audit(1143044170.710:9): avc:  denied  { read } for 
pid=4647 comm="named" name="urandom" dev=tmpfs ino=431
scontext=root:system_r:named_t tcontext=system_u:object_r:urandom_device_t
tclass=chr_file
Mar 22 17:16:10 host named[4648]: starting BIND 9.2.4 -u named
Mar 22 17:16:10 host named[4648]: using 1 CPU
Mar 22 17:16:10 host named: named startup succeeded
Mar 22 17:16:10 host named[4648]: loading configuration from '/etc/named.conf'
Mar 22 17:16:10 host named[4648]: listening on IPv6 interfaces, port 53
Mar 22 17:16:10 host named[4648]: listening on IPv4 interface lo, 127.0.0.1#53
Mar 22 17:16:10 host named[4648]: binding TCP socket: address in use
Mar 22 17:16:10 host named[4648]: listening on IPv4 interface eth0, 192.0.2.1#53
Mar 22 17:16:10 host named[4648]: binding TCP socket: address in use
Mar 22 17:16:10 host named[4648]: command channel listening on 127.0.0.1#953
Mar 22 17:16:10 host named[4648]: zone 0.in-addr.arpa/IN: loaded serial 42
Mar 22 17:16:10 host named[4648]: zone 0.0.127.in-addr.arpa/IN: loaded serial
1997022700
Mar 22 17:16:10 host named[4648]: zone 255.in-addr.arpa/IN: loaded serial 42
Mar 22 17:16:10 host named[4648]: zone
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN:
loaded serial 1997022700
Mar 22 17:16:10 host named[4648]: zone localdomain/IN: loaded serial 42
Mar 22 17:16:10 host named[4648]: zone localhost/IN: loaded serial 42
Mar 22 17:16:10 host named[4648]: running


Expected results:

No such selinux messages

Additional info:

selinux runs in enforcing mode, looks like this deny messages doesn't cause any
trouble to named.

# rpm -V caching-nameserver
S.5....T. c /etc/named.conf

--- named.conf  11 Mar 2005 14:55:10 -0000      1.1
+++ named.conf  7 Mar 2006 16:09:49 -0000       1.6
@@ -14,6 +14,29 @@
         * port by default.
         */
         // query-source address * port 53;
+
+       // listen-on { 127.0.0.1; };
+       listen-on-v6 { any; };
+
+       allow-query {
+               127.0.0.1;
+               192.0.2.0/24;
+               2001:db8::/48;
+               ::1;
+       };
+
+       query-source-v6 address 2001:db8::1;
+};
+
+// custom logging
+logging {
+       channel "default_syslog" {
+               syslog daemon;
+               severity info;
+       };
+
+       category "lame-servers" { "null"; };
+       category "default" { "default_syslog"; };
 };

 //



# rpm -V bind
S.5...... c /etc/rndc.key
 -> generated on install?!

# rpm -V selinux-policy-targeted
S.5....T. c /etc/selinux/targeted/booleans

# getsebool -a
allow_syslog_to_console --> inactive
allow_ypbind --> inactive
dhcpd_disable_trans --> inactive
httpd_builtin_scripting --> active
httpd_disable_trans --> inactive
httpd_enable_cgi --> active
httpd_enable_homedirs --> active
httpd_ssi_exec --> active
httpd_tty_comm --> inactive
httpd_unified --> active
mysqld_disable_trans --> inactive
named_disable_trans --> inactive
named_write_master_zones --> inactive
nscd_disable_trans --> inactive
ntpd_disable_trans --> inactive
pegasus_disable_trans --> inactive
portmap_disable_trans --> inactive
postgresql_disable_trans --> inactive
snmpd_disable_trans --> inactive
squid_disable_trans --> inactive
syslogd_disable_trans --> inactive
use_nfs_home_dirs --> inactive
use_samba_home_dirs --> inactive
use_syslogng --> active
winbind_disable_trans --> inactive
ypbind_disable_trans --> inactive
Comment 1 Russell Coker 2006-04-13 02:08:01 EDT
Is the included patch the only change to the BIND configuration?

I have run a default /etc/named.conf from a stock RHEL4U3 install with the 
patch from your bug report and I can't get named to give any AVC messages.

Please provide more information on the BIND configuration.
Comment 2 Peter Bieringer 2006-04-13 06:58:24 EDT
Yes, it's the only change, but named doesn't cause it.

A check shows me:

# /etc/rc.d/init.d/named restart -> message avc: denied appears

# service named restart -> message avc: denied appears

# /usr/sbin/named -u named -> nothing appears

# cp /etc/rc.d/init.d/named .
# ./named restart
 -> nothing appears

# cp /etc/rc.d/init.d/named /etc/rc.d/init.d/named.test
# /etc/rc.d/init.d/named.test restart
Stopping named:                                            [  OK  ]
Starting named:                                            [  OK  ]
 -> nothing appears

# ls -Z /etc/rc.d/init.d/named*
-rwxr-xr-x  root     root     system_u:object_r:initrc_exec_t 
/etc/rc.d/init.d/named
-rwxr-xr-x  root     root     root:object_r:etc_t             
/etc/rc.d/init.d/named.test

# chcon system_u:object_r:initrc_exec_t ./named
# ./named restart
Stopping named:                                            [  OK  ]
Starting named:   
 -> message avc: denied appears


# echo "/usr/sbin/named -u named" >named.simple
# chmod 755 named.simple
# chcon system_u:object_r:initrc_exec_t named.simple
# ./named.simple
 -> nothing appears

# cat <<END >named.simple2
#!/bin/bash
/usr/sbin/named -u named
END
# chmod 755 named.simple2
# chcon system_u:object_r:initrc_exec_t named.simple2
# ./named.simple2
 -> message avc: denied appears


# ls -Z /bin/bash
-rwxr-xr-x  root     root     system_u:object_r:shell_exec_t   /bin/bash

# rpm -V bash
(nothing appears)


# ls -Z /etc/rndc.key
-rw-r-----  root     named    system_u:object_r:dnssec_t       /etc/rndc.key

ok

BTW: here the log from a restart:
Apr 13 12:27:33 host named[30644]: exiting
Apr 13 12:27:35 host audit(1144924055.279:44): avc:  denied  { read } for 
pid=30921 comm="named" name="cert.pem" dev=md1 ino=224719
scontext=root:system_r:named_t tcontext=system_u:object_r:usr_t tclass=lnk_file
Apr 13 12:27:35 host audit(1144924055.296:45): avc:  denied  { read } for 
pid=30921 comm="named" name="urandom" dev=tmpfs ino=431
scontext=root:system_r:named_t tcontext=system_u:object_r:urandom_device_t
tclass=chr_file
Apr 13 12:27:35 host named[30922]: starting BIND 9.2.4 -u named


So, now I used strace and finally found who want to open the denied files.

It's caused by LDAP library. If I disable "ssl on" in /etc/ldap.conf, messages
disappear.

Strace shows me:
[pid 31229] open("/usr/share/ssl/cert.pem", O_RDONLY) = -1 EACCES (Permission
denied)
[pid 31229] open("/dev/urandom", O_RDONLY|O_NONBLOCK|O_NOCTTY) = -1 EACCES
(Permission denied)
[pid 31229] open("/dev/random", O_RDONLY|O_NONBLOCK|O_NOCTTY) = 5


BTW: looks like a policy is not proper, missing "urandom_device_t":

# ls -Z /dev/*random
crw-rw-rw-  root     root     system_u:object_r:random_device_t /dev/random
cr--r--r--  root     root     system_u:object_r:urandom_device_t /dev/urandom

Any hints where to look now? Or is this enough information to extend the policy?
Comment 3 Russell Coker 2006-04-13 08:24:29 EDT
This is a lot more complex than it seems.

This sort of nss-LDAP issue really requires changes to much more than named 
policy if we follow that path.  Changes that are too significant to go into a 
RHEL update except for the most serious bug.

I presume that you are not running nscd.  What happens if you run nscd?  Does 
restarting named when nscd is running give any AVC messages?  If so then I 
think we will have to define the work-around to this RHEL4 problem to be that 
you must run nscd when using nss-LDAP.

If however you get these AVC messages while running nscd then please let me 
know and I'll investigate this further.
Comment 4 Peter Bieringer 2006-04-13 09:26:23 EDT
nscd is running on this system, but a short test shows that the same messages
also appear, if nscd is not running.
Comment 5 Russell Coker 2006-04-16 02:55:54 EDT
For which services is LDAP consulted?

Could you please give me the output of "grep -v ^# /etc/nsswitch.conf | grep 
ldap"?
Comment 6 Peter Bieringer 2006-04-16 04:12:28 EDT
LDAP is only used to store system accounts and groups.

# grep -v ^# /etc/nsswitch.conf |grep ldap
passwd:     files ldap
shadow:     files ldap
group:      files ldap
Comment 8 Daniel Walsh 2006-05-25 09:12:59 EDT
Fixed in  selinux-policy-targeted-1.17.30-2.136
Comment 14 Red Hat Bugzilla 2006-08-10 17:20:24 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2006-0373.html
Comment 15 Peter Bieringer 2006-09-14 08:53:19 EDT
Confirmed.
Comment 16 Vilela 2006-09-16 03:38:20 EDT
As I said on #178692 (with less information here for the sake of simplicity):

Running the following script through Apache, called teste.sh:

#!/bin/sh
cat << EOF
Content-type: text/html;

hello<br>
EOF

... Results on the following errors:

avc:  denied  { read } for  pid=11137 comm="suexec" name="cert.pem" dev=dm-0
ino=520401 scontext=root:system_r:httpd_suexec_t
tcontext=system_u:object_r:usr_t tclass=lnk_file

This seems to be the same error reported here in #186258.

My booleans:

httpd_builtin_scripting --> active
httpd_disable_trans --> inactive
httpd_enable_cgi --> active
httpd_enable_homedirs --> inactive
httpd_ssi_exec --> inactive
httpd_tty_comm --> inactive
httpd_unified --> active

kernel-2.6.9-42.0.2.EL
selinux-policy-targeted-1.17.30-2.140

Note You need to log in before you can comment on or make changes to this bug.