2209973 – SELinux prevents nsd-* tools (executed by crond) from writing into /run/nsd/nsd.ctl socket

Bug 2209973 - SELinux prevents nsd-* tools (executed by crond) from writing into /run/nsd/nsd.ctl socket

Summary: SELinux prevents nsd-* tools (executed by crond) from writing into /run/nsd/n...

Keywords:
Status:	VERIFIED
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	9.3
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Nikola Knazekova
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-05-25 11:39 UTC by Milos Malik
Modified:	2023-07-11 08:01 UTC (History)
CC List:	3 users (show)
Fixed In Version:	selinux-policy-38.1.16-1.el9
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-158174	0	None	None	None	2023-05-25 11:42:38 UTC

Description Milos Malik 2023-05-25 11:39:38 UTC

Description of problem: the following message appears in the systemd journal when any nsd-* program is executed as a cronjob.

CROND[23753]: (root) CMDOUT (error: connect (/run/nsd/nsd.ctl): Permission denied)

# matchpathcon /usr/sbin/nsd-*
/usr/sbin/nsd-checkconf	system_u:object_r:nsd_exec_t:s0
/usr/sbin/nsd-checkzone	system_u:object_r:nsd_exec_t:s0
/usr/sbin/nsd-control	system_u:object_r:nsd_exec_t:s0
/usr/sbin/nsd-control-setup	system_u:object_r:nsd_exec_t:s0
# sesearch -c process -T | grep 'cron.*nsd_crond_t'
type_transition crond_t nsd_exec_t:process nsd_crond_t;
type_transition system_cronjob_t nsd_exec_t:process nsd_crond_t;
#

Version-Release number of selected component (if applicable):
nsd-4.3.9-3.el9.x86_64
selinux-policy-38.1.12-1.el9.noarch
selinux-policy-targeted-38.1.12-1.el9.noarch

How reproducible:
 * always

Steps to Reproduce:
1. get a RHEL-9.3 machine (targeted policy is active)
2. start the nsd service
3. add the following line into /etc/crontab file
* * * * * nsd /usr/sbin/nsd-control status
4. restart the crond service
5. wait at least 1 minute
6. search for SELinux denials

Actual results (enforcing mode):
----
type=PROCTITLE msg=audit(05/25/2023 07:23:01.953:1237) : proctitle=/usr/sbin/nsd-control status 
type=PATH msg=audit(05/25/2023 07:23:01.953:1237) : item=0 name=/run/nsd/nsd.ctl inode=1153 dev=00:18 mode=socket,755 ouid=nsd ogid=nsd rdev=00:00 obj=system_u:object_r:nsd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/25/2023 07:23:01.953:1237) : cwd=/etc/nsd 
type=SOCKADDR msg=audit(05/25/2023 07:23:01.953:1237) : saddr={ saddr_fam=local path=/run/nsd/nsd.ctl } 
type=SYSCALL msg=audit(05/25/2023 07:23:01.953:1237) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x3 a1=0x7ffc3b2cfdc0 a2=0x6e a3=0xfffffffffffffffc items=1 ppid=24462 pid=24474 auid=nsd uid=nsd gid=nsd euid=nsd suid=nsd fsuid=nsd egid=nsd sgid=nsd fsgid=nsd tty=(none) ses=96 comm=nsd-control exe=/usr/sbin/nsd-control subj=system_u:system_r:nsd_crond_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(05/25/2023 07:23:01.953:1237) : avc:  denied  { write } for  pid=24474 comm=nsd-control name=nsd.ctl dev="tmpfs" ino=1153 scontext=system_u:system_r:nsd_crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nsd_var_run_t:s0 tclass=sock_file permissive=0 
----

Expected results:
 * no SELinux denials

Additional info:
 * the nsd package comes from EPEL

Comment 1 Milos Malik 2023-05-25 11:41:14 UTC

Actual results (permissive mode):
----
type=PROCTITLE msg=audit(05/25/2023 07:24:02.055:1255) : proctitle=/usr/sbin/nsd-control status 
type=PATH msg=audit(05/25/2023 07:24:02.055:1255) : item=0 name=/run/nsd/nsd.ctl inode=1153 dev=00:18 mode=socket,755 ouid=nsd ogid=nsd rdev=00:00 obj=system_u:object_r:nsd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/25/2023 07:24:02.055:1255) : cwd=/etc/nsd 
type=SOCKADDR msg=audit(05/25/2023 07:24:02.055:1255) : saddr={ saddr_fam=local path=/run/nsd/nsd.ctl } 
type=SYSCALL msg=audit(05/25/2023 07:24:02.055:1255) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x3 a1=0x7ffd11510880 a2=0x6e a3=0xfffffffffffffffc items=1 ppid=24479 pid=24491 auid=nsd uid=nsd gid=nsd euid=nsd suid=nsd fsuid=nsd egid=nsd sgid=nsd fsgid=nsd tty=(none) ses=98 comm=nsd-control exe=/usr/sbin/nsd-control subj=system_u:system_r:nsd_crond_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(05/25/2023 07:24:02.055:1255) : avc:  denied  { connectto } for  pid=24491 comm=nsd-control path=/run/nsd/nsd.ctl scontext=system_u:system_r:nsd_crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:nsd_t:s0 tclass=unix_stream_socket permissive=1 
type=AVC msg=audit(05/25/2023 07:24:02.055:1255) : avc:  denied  { write } for  pid=24491 comm=nsd-control name=nsd.ctl dev="tmpfs" ino=1153 scontext=system_u:system_r:nsd_crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nsd_var_run_t:s0 tclass=sock_file permissive=1 
----

Comment 4 Nikola Knazekova 2023-06-14 14:59:41 UTC

PR: https://github.com/fedora-selinux/selinux-policy/pull/1742

Note You need to log in before you can comment on or make changes to this bug.