Bug 2165438 - Repeated AVC denials for dnsmasq socket create
Summary: Repeated AVC denials for dnsmasq socket create
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: dnsmasq
Version: CentOS Stream
Hardware: x86_64
OS: Linux
unspecified
low
Target Milestone: rc
: ---
Assignee: Petr Menšík
QA Contact: rhel-cs-infra-services-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-01-30 03:45 UTC by Robert Nichols
Modified: 2023-02-16 23:57 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: ---
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)
Content of config files (579 bytes, text/plain)
2023-01-30 03:48 UTC, Robert Nichols 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-149029 0 None None None 2023-02-16 23:57:14 UTC

Description Robert Nichols 2023-01-30 03:45:24 UTC 
Description of problem:
When running with dnsmasq configured as bootp and domain server, there are repeated AVC denials" "SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t." Despite these enforcing mode denials, dnsmasq appears to work properly, serving both bootp and dns requests, so it is not apparent whether this is a problem with dnsmasq or selinux-policy-targeted, and if the latter whether ALLOW or DONTAUDIT is the appropriate adjustment.

Version-Release number of selected component (if applicable):
dnsmasq-2.79-24.el8.x86_64, selinux-policy-targeted-3.14.3-114.el8.noarch

How reproducible:
always

Steps to Reproduce:
1.On a system with both WAN and LAN interfaces, configure NetworkManager with "dns=dnsmasq" and dnsmasq listening on the LAN interface (config files attached).
2.Boot the system, and AVCs begin almost immediately, and seem to repeat whenever a dns request needs to be forwarded upstream.

Actual results:
Report from sealert: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t

Expected results:
No AVCs.

Additional info:
Source Context system_u:system_r:dnsmasq_t:s0
Target Context system_u:system_r:dnsmasq_t:s0
Target Objects Unknown [ socket ]
Source dnsmasq
Source Path /usr/sbin/dnsmasq
Port <Unknown>
Host omega-3x
Source RPM Packages dnsmasq-2.79-24.el8.x86_64
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-3.14.3-114.el8.noarch
Local Policy RPM selinux-policy-targeted-3.14.3-114.el8.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name omega-3x
Platform Linux omega-3x 4.18.0-448.el8.x86_64 #1 SMP Wed
                              Jan 18 15:02:46 UTC 2023 x86_64 x86_64
Alert Count 6
First Seen 2023-01-28 14:50:41 CST
Last Seen 2023-01-28 14:57:16 CST
Local ID e32e9a86-6adb-4a61-b777-3f1e138449d7

Raw Audit Messages
type=AVC msg=audit(1674939436.297:133): avc: denied { create } for pid=1716 comm="dnsmasq" scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:system_r:dnsmasq_t:s0 tclass=socket permissive=0


type=SYSCALL msg=audit(1674939436.297:133): arch=x86_64 syscall=socket success=no exit=EACCES a0=0 a1=2 a2=0 a3=0 items=0 ppid=1337 pid=1716 auid=4294967295 uid=984 gid=984 euid=984 suid=984 fsuid=984 egid=984 sgid=984 fsgid=984 tty=(none) ses=4294967295 comm=dnsmasq exe=/usr/sbin/dnsmasq subj=system_u:system_r:dnsmasq_t:s0 key=(null)

Hash: dnsmasq,dnsmasq_t,dnsmasq_t,socket,create
Comment 1 Robert Nichols 2023-01-30 03:48:13 UTC 
Created attachment 1941039 [details]
Content of config files
Comment 2 Robert Nichols 2023-02-16 23:56:55 UTC 
For reasons that are not apparent, this problem has disappeared for me, so I guess this can be closed as not reproduceable.

Sorry about the noise.
Note You need to log in before you can comment on or make changes to this bug.