Description of problem: after upgrade to RHEL4U3 (from RHEL3U6) not expected selinux messages appear (system was relabled after upgrade). Version-Release number of selected component (if applicable): selinux-policy-targeted-1.17.30-2.126 bind-9.2.4-2 caching-nameserver-7.3-3 How reproducible: every time after # service named restart Steps to Reproduce: 1. install named as caching nameserver 2. start named Actual results: Mar 22 17:16:10 host audit(1143044170.693:8): avc: denied { read } for pid=4647 comm="named" name="cert.pem" dev=md1 ino=224719 scontext=root:system_r:named_t tcontext=system_u:object_r:usr_t tclass=lnk_file Mar 22 17:16:10 host audit(1143044170.710:9): avc: denied { read } for pid=4647 comm="named" name="urandom" dev=tmpfs ino=431 scontext=root:system_r:named_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file Mar 22 17:16:10 host named[4648]: starting BIND 9.2.4 -u named Mar 22 17:16:10 host named[4648]: using 1 CPU Mar 22 17:16:10 host named: named startup succeeded Mar 22 17:16:10 host named[4648]: loading configuration from '/etc/named.conf' Mar 22 17:16:10 host named[4648]: listening on IPv6 interfaces, port 53 Mar 22 17:16:10 host named[4648]: listening on IPv4 interface lo, 127.0.0.1#53 Mar 22 17:16:10 host named[4648]: binding TCP socket: address in use Mar 22 17:16:10 host named[4648]: listening on IPv4 interface eth0, 192.0.2.1#53 Mar 22 17:16:10 host named[4648]: binding TCP socket: address in use Mar 22 17:16:10 host named[4648]: command channel listening on 127.0.0.1#953 Mar 22 17:16:10 host named[4648]: zone 0.in-addr.arpa/IN: loaded serial 42 Mar 22 17:16:10 host named[4648]: zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700 Mar 22 17:16:10 host named[4648]: zone 255.in-addr.arpa/IN: loaded serial 42 Mar 22 17:16:10 host named[4648]: zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 1997022700 Mar 22 17:16:10 host named[4648]: zone localdomain/IN: loaded serial 42 Mar 22 17:16:10 host named[4648]: zone localhost/IN: loaded serial 42 Mar 22 17:16:10 host named[4648]: running Expected results: No such selinux messages Additional info: selinux runs in enforcing mode, looks like this deny messages doesn't cause any trouble to named. # rpm -V caching-nameserver S.5....T. c /etc/named.conf --- named.conf 11 Mar 2005 14:55:10 -0000 1.1 +++ named.conf 7 Mar 2006 16:09:49 -0000 1.6 @@ -14,6 +14,29 @@ * port by default. */ // query-source address * port 53; + + // listen-on { 127.0.0.1; }; + listen-on-v6 { any; }; + + allow-query { + 127.0.0.1; + 192.0.2.0/24; + 2001:db8::/48; + ::1; + }; + + query-source-v6 address 2001:db8::1; +}; + +// custom logging +logging { + channel "default_syslog" { + syslog daemon; + severity info; + }; + + category "lame-servers" { "null"; }; + category "default" { "default_syslog"; }; }; // # rpm -V bind S.5...... c /etc/rndc.key -> generated on install?! # rpm -V selinux-policy-targeted S.5....T. c /etc/selinux/targeted/booleans # getsebool -a allow_syslog_to_console --> inactive allow_ypbind --> inactive dhcpd_disable_trans --> inactive httpd_builtin_scripting --> active httpd_disable_trans --> inactive httpd_enable_cgi --> active httpd_enable_homedirs --> active httpd_ssi_exec --> active httpd_tty_comm --> inactive httpd_unified --> active mysqld_disable_trans --> inactive named_disable_trans --> inactive named_write_master_zones --> inactive nscd_disable_trans --> inactive ntpd_disable_trans --> inactive pegasus_disable_trans --> inactive portmap_disable_trans --> inactive postgresql_disable_trans --> inactive snmpd_disable_trans --> inactive squid_disable_trans --> inactive syslogd_disable_trans --> inactive use_nfs_home_dirs --> inactive use_samba_home_dirs --> inactive use_syslogng --> active winbind_disable_trans --> inactive ypbind_disable_trans --> inactive
Is the included patch the only change to the BIND configuration? I have run a default /etc/named.conf from a stock RHEL4U3 install with the patch from your bug report and I can't get named to give any AVC messages. Please provide more information on the BIND configuration.
Yes, it's the only change, but named doesn't cause it. A check shows me: # /etc/rc.d/init.d/named restart -> message avc: denied appears # service named restart -> message avc: denied appears # /usr/sbin/named -u named -> nothing appears # cp /etc/rc.d/init.d/named . # ./named restart -> nothing appears # cp /etc/rc.d/init.d/named /etc/rc.d/init.d/named.test # /etc/rc.d/init.d/named.test restart Stopping named: [ OK ] Starting named: [ OK ] -> nothing appears # ls -Z /etc/rc.d/init.d/named* -rwxr-xr-x root root system_u:object_r:initrc_exec_t /etc/rc.d/init.d/named -rwxr-xr-x root root root:object_r:etc_t /etc/rc.d/init.d/named.test # chcon system_u:object_r:initrc_exec_t ./named # ./named restart Stopping named: [ OK ] Starting named: -> message avc: denied appears # echo "/usr/sbin/named -u named" >named.simple # chmod 755 named.simple # chcon system_u:object_r:initrc_exec_t named.simple # ./named.simple -> nothing appears # cat <<END >named.simple2 #!/bin/bash /usr/sbin/named -u named END # chmod 755 named.simple2 # chcon system_u:object_r:initrc_exec_t named.simple2 # ./named.simple2 -> message avc: denied appears # ls -Z /bin/bash -rwxr-xr-x root root system_u:object_r:shell_exec_t /bin/bash # rpm -V bash (nothing appears) # ls -Z /etc/rndc.key -rw-r----- root named system_u:object_r:dnssec_t /etc/rndc.key ok BTW: here the log from a restart: Apr 13 12:27:33 host named[30644]: exiting Apr 13 12:27:35 host audit(1144924055.279:44): avc: denied { read } for pid=30921 comm="named" name="cert.pem" dev=md1 ino=224719 scontext=root:system_r:named_t tcontext=system_u:object_r:usr_t tclass=lnk_file Apr 13 12:27:35 host audit(1144924055.296:45): avc: denied { read } for pid=30921 comm="named" name="urandom" dev=tmpfs ino=431 scontext=root:system_r:named_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file Apr 13 12:27:35 host named[30922]: starting BIND 9.2.4 -u named So, now I used strace and finally found who want to open the denied files. It's caused by LDAP library. If I disable "ssl on" in /etc/ldap.conf, messages disappear. Strace shows me: [pid 31229] open("/usr/share/ssl/cert.pem", O_RDONLY) = -1 EACCES (Permission denied) [pid 31229] open("/dev/urandom", O_RDONLY|O_NONBLOCK|O_NOCTTY) = -1 EACCES (Permission denied) [pid 31229] open("/dev/random", O_RDONLY|O_NONBLOCK|O_NOCTTY) = 5 BTW: looks like a policy is not proper, missing "urandom_device_t": # ls -Z /dev/*random crw-rw-rw- root root system_u:object_r:random_device_t /dev/random cr--r--r-- root root system_u:object_r:urandom_device_t /dev/urandom Any hints where to look now? Or is this enough information to extend the policy?
This is a lot more complex than it seems. This sort of nss-LDAP issue really requires changes to much more than named policy if we follow that path. Changes that are too significant to go into a RHEL update except for the most serious bug. I presume that you are not running nscd. What happens if you run nscd? Does restarting named when nscd is running give any AVC messages? If so then I think we will have to define the work-around to this RHEL4 problem to be that you must run nscd when using nss-LDAP. If however you get these AVC messages while running nscd then please let me know and I'll investigate this further.
nscd is running on this system, but a short test shows that the same messages also appear, if nscd is not running.
For which services is LDAP consulted? Could you please give me the output of "grep -v ^# /etc/nsswitch.conf | grep ldap"?
LDAP is only used to store system accounts and groups. # grep -v ^# /etc/nsswitch.conf |grep ldap passwd: files ldap shadow: files ldap group: files ldap
Fixed in selinux-policy-targeted-1.17.30-2.136
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2006-0373.html
Confirmed.
As I said on #178692 (with less information here for the sake of simplicity): Running the following script through Apache, called teste.sh: #!/bin/sh cat << EOF Content-type: text/html; hello<br> EOF ... Results on the following errors: avc: denied { read } for pid=11137 comm="suexec" name="cert.pem" dev=dm-0 ino=520401 scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:usr_t tclass=lnk_file This seems to be the same error reported here in #186258. My booleans: httpd_builtin_scripting --> active httpd_disable_trans --> inactive httpd_enable_cgi --> active httpd_enable_homedirs --> inactive httpd_ssi_exec --> inactive httpd_tty_comm --> inactive httpd_unified --> active kernel-2.6.9-42.0.2.EL selinux-policy-targeted-1.17.30-2.140