Bug 190291 - Accesses to dnssec_t symlinks are not allowed by SELinux
Summary: Accesses to dnssec_t symlinks are not allowed by SELinux
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted
Version: 4.0
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2006-04-30 14:43 UTC by Suzuki Takashi
Modified: 2008-01-30 19:05 UTC (History)
2 users (show)

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-01-30 19:05:24 UTC

Attachments (Terms of Use)
Patch allowing dhcpd and rndc to read dnssec_t symlinks (2.36 KB, patch)
2006-05-02 14:06 UTC, Suzuki Takashi
no flags Details | Diff

Description Suzuki Takashi 2006-04-30 14:43:08 UTC
Description of problem:
When BIND TSIG key files are symlinks,
dhcpd and rndc cannot read the key files.
Their accesses are denied by SELinux policy.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install bind, bind-chroot and dhcp packages.
2. Make a symlink /etc/rndc.key -> /var/named/chroot/etc/rndc.key.
3. chcon -h system_u:object_r:dnssec_t /etc/rndc.key
4. Setup BIND and DHCP Server to do dynamic updates.
5. Make a symlink /etc/dhcpd.key -> /var/named/chroot/etc/dhcpd.key.
/etc/dhcpd.key is for the dhcpd's dynamic updates.
6. chcon -h system_u:object_r:dnssec_t /etc/dhcpd.key
7. /sbin/service named start
8. /sbin/service dhcpd start
9. /sbin/service named stop

Actual results:
`/sbin/service dhcpd start' and `/sbin/service named stop' fail.

Expected results:
Both `/sbin/service dhcpd start' and `/sbin/service named stop' succeed.

Additional info:
By selinux-policy-targeted-1.17.30-2.126,
only accesses to regular files of dnssec_t are allowed for dhcpd and rndc:

allow { ndc_t named_t } dnssec_t:file { getattr read };

allow dhcpd_t dnssec_t:file { getattr read };

Comment 1 Suzuki Takashi 2006-05-02 14:06:02 UTC
Created attachment 128485 [details]
Patch allowing dhcpd and rndc to read dnssec_t symlinks

I made a custom RPM with this patch.
It works fine with bind-chroot.

Comment 2 Daniel Walsh 2006-05-03 19:54:08 UTC
I think the package from RedHat does this via bind mounts instead of symlinks.

Comment 3 Suzuki Takashi 2006-05-04 03:36:22 UTC
bind-chroot-9.2.4-2 makes symlinks of rndc.key, named.custom and named.conf
by safe_replace function in its post-install script.

bind-chroot-9.3.2-22.FC6 in rawhide seems to do similarly by its
bind-chroot-admin script.
It does bind mounts, but only for /proc and /var/run/dbus.

Comment 4 Daniel Walsh 2006-05-04 04:52:10 UTC
Ok but wouldn't  the better solution be to allow ndc_t and dhcpd to etc_t:lnk_file?

In FC5 and Rawhide we have

allow { ndc_t named_t } etc_t:lnk_file r_file_perms;

Comment 5 Suzuki Takashi 2006-05-04 10:28:09 UTC
/etc/rndc.key (and /etc/dhcpd.key) symlinks are labeled etc_t
against the current file_contexts.

You mean, 
when rndc or dhcpd trys to access /etc/rndc.key or /etc/dhcpd.key,
access to the symlink itself is audited by etc_t and
then to the link target by dnssec_t?

It will be ok, but I feel slightly odd.
Isn't it better to give the same labels to a file and a symlink
of the same path but also of the same use?

Comment 8 Daniel Walsh 2006-05-09 16:36:50 UTC
Fixed in selinux-policy-targetd-1.17.30-2.134

Comment 9 Suzuki Takashi 2006-05-11 12:09:30 UTC
Could you upload the binary or source RPM somewhere so that I can test with it?

Comment 10 Daniel Walsh 2006-05-11 14:16:02 UTC

Has it.

Comment 11 Roger Blofeld 2006-08-02 21:59:45 UTC
This problem is also present in FC5 using selinux-policy-targeted-2.3.3-8.fc5.

The file policy/modules/services/bind.te contains (for example):

allow ndc_t dnssec_t:file { getattr read };

instead of the patched version:

allow ndc_t dnssec_t:{ file lnk_file } { getattr read };

which causes denials reading rndc.key when starting named.

BTW, is the serefpolicy-2.3.3.tgz archive in the SRPM supposed to contain all of
the .svn directories?

Comment 12 Daniel Walsh 2008-01-30 19:05:24 UTC
Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.

Note You need to log in before you can comment on or make changes to this bug.