Bug 190291 - Accesses to dnssec_t symlinks are not allowed by SELinux
Accesses to dnssec_t symlinks are not allowed by SELinux
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2006-04-30 10:43 EDT by Suzuki Takashi
Modified: 2008-01-30 14:05 EST (History)
2 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-01-30 14:05:24 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch allowing dhcpd and rndc to read dnssec_t symlinks (2.36 KB, patch)
2006-05-02 10:06 EDT, Suzuki Takashi
no flags Details | Diff

  None (edit)
Description Suzuki Takashi 2006-04-30 10:43:08 EDT
Description of problem:
When BIND TSIG key files are symlinks,
dhcpd and rndc cannot read the key files.
Their accesses are denied by SELinux policy.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install bind, bind-chroot and dhcp packages.
2. Make a symlink /etc/rndc.key -> /var/named/chroot/etc/rndc.key.
3. chcon -h system_u:object_r:dnssec_t /etc/rndc.key
4. Setup BIND and DHCP Server to do dynamic updates.
5. Make a symlink /etc/dhcpd.key -> /var/named/chroot/etc/dhcpd.key.
/etc/dhcpd.key is for the dhcpd's dynamic updates.
6. chcon -h system_u:object_r:dnssec_t /etc/dhcpd.key
7. /sbin/service named start
8. /sbin/service dhcpd start
9. /sbin/service named stop

Actual results:
`/sbin/service dhcpd start' and `/sbin/service named stop' fail.

Expected results:
Both `/sbin/service dhcpd start' and `/sbin/service named stop' succeed.

Additional info:
By selinux-policy-targeted-1.17.30-2.126,
only accesses to regular files of dnssec_t are allowed for dhcpd and rndc:

allow { ndc_t named_t } dnssec_t:file { getattr read };

allow dhcpd_t dnssec_t:file { getattr read };
Comment 1 Suzuki Takashi 2006-05-02 10:06:02 EDT
Created attachment 128485 [details]
Patch allowing dhcpd and rndc to read dnssec_t symlinks

I made a custom RPM with this patch.
It works fine with bind-chroot.
Comment 2 Daniel Walsh 2006-05-03 15:54:08 EDT
I think the package from RedHat does this via bind mounts instead of symlinks.
Comment 3 Suzuki Takashi 2006-05-03 23:36:22 EDT
bind-chroot-9.2.4-2 makes symlinks of rndc.key, named.custom and named.conf
by safe_replace function in its post-install script.

bind-chroot-9.3.2-22.FC6 in rawhide seems to do similarly by its
bind-chroot-admin script.
It does bind mounts, but only for /proc and /var/run/dbus.
Comment 4 Daniel Walsh 2006-05-04 00:52:10 EDT
Ok but wouldn't  the better solution be to allow ndc_t and dhcpd to etc_t:lnk_file?

In FC5 and Rawhide we have

allow { ndc_t named_t } etc_t:lnk_file r_file_perms;
Comment 5 Suzuki Takashi 2006-05-04 06:28:09 EDT
/etc/rndc.key (and /etc/dhcpd.key) symlinks are labeled etc_t
against the current file_contexts.

You mean, 
when rndc or dhcpd trys to access /etc/rndc.key or /etc/dhcpd.key,
access to the symlink itself is audited by etc_t and
then to the link target by dnssec_t?

It will be ok, but I feel slightly odd.
Isn't it better to give the same labels to a file and a symlink
of the same path but also of the same use?
Comment 8 Daniel Walsh 2006-05-09 12:36:50 EDT
Fixed in selinux-policy-targetd-1.17.30-2.134
Comment 9 Suzuki Takashi 2006-05-11 08:09:30 EDT
Could you upload the binary or source RPM somewhere so that I can test with it?
Comment 10 Daniel Walsh 2006-05-11 10:16:02 EDT

Has it.
Comment 11 Roger Blofeld 2006-08-02 17:59:45 EDT
This problem is also present in FC5 using selinux-policy-targeted-2.3.3-8.fc5.

The file policy/modules/services/bind.te contains (for example):

allow ndc_t dnssec_t:file { getattr read };

instead of the patched version:

allow ndc_t dnssec_t:{ file lnk_file } { getattr read };

which causes denials reading rndc.key when starting named.

BTW, is the serefpolicy-2.3.3.tgz archive in the SRPM supposed to contain all of
the .svn directories?

Comment 12 Daniel Walsh 2008-01-30 14:05:24 EST
Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.

Note You need to log in before you can comment on or make changes to this bug.