This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 239248 - selinux denial on /dev/random
selinux denial on /dev/random
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: bind (Show other bugs)
rawhide
All Linux
medium Severity high
: ---
: ---
Assigned To: Adam Tkac
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-05-06 19:51 EDT by Andrew Bartlett
Modified: 2013-04-30 19:35 EDT (History)
1 user (show)

See Also:
Fixed In Version: 9.3.4-5.fc6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-05-22 12:07:47 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Andrew Bartlett 2007-05-06 19:51:42 EDT
Description of problem:
sudo /sbin/service named restart causes an selinux denail on /dev/random

Version-Release number of selected component (if applicable):
bind-9.4.0-6.fc7

How reproducible: every time (fail to start on restart only)

with NetworkManager running, and the system connected with dhcp, with also local
zone files (for my vmware network)

There may be 2 unrelated bugs here, I'll separate the NetworkManger issues if
that is your advise.

Steps to Reproduce:
1. sudo /sbin/service named start
2. sudo /sbin/service named restart
3.
  
Actual results:
SELinux warnings (note that SELinux is not enforcing on this box, so this should
not have prevented the start) and
Starting named:                                            [FAILED]


Expected results:
Starting named:                                            [  OK  ]


Additional info:

selinux denial:

type=AVC msg=audit(1178494085.489:49): avc:  denied  { getattr } for  pid=4894
comm="named" name="random" dev=dm-0 ino=229380
2 scontext=user_u:system_r:named_t:s0 tcontext=system_u:object_r:named_conf_t:s0
tclass=chr_file
type=SYSCALL msg=audit(1178494085.489:49): arch=40000003 syscall=195 success=yes
exit=0 a0=b7f54068 a1=b7f4d0c8 a2=ce1ff4 a3=
3 items=0 ppid=4892 pid=4894 auid=500 uid=25 gid=25 euid=25 suid=25 fsuid=25
egid=25 sgid=25 fsgid=25 tty=(none) comm="named"
 exe="/usr/sbin/named" subj=user_u:system_r:named_t:s0 key=(null)
type=AVC_PATH msg=audit(1178494085.489:49):  path="/dev/random"
type=AVC msg=audit(1178494085.489:50): avc:  denied  { read } for  pid=4894
comm="named" name="random" dev=dm-0 ino=2293802 s
context=user_u:system_r:named_t:s0 tcontext=system_u:object_r:named_conf_t:s0
tclass=chr_file
type=SYSCALL msg=audit(1178494085.489:50): arch=40000003 syscall=5 success=yes
exit=9 a0=b7f54068 a1=800 a2=0 a3=b7f4e258 ite
ms=0 ppid=4892 pid=4894 auid=500 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25
sgid=25 fsgid=25 tty=(none) comm="named" exe=
"/usr/sbin/named" subj=user_u:system_r:named_t:s0 key=(null)

log messages:

May  7 09:49:08 localhost named[6389]: binding TCP socket: address in use
May  7 09:49:08 localhost named[6389]: command channel listening on 127.0.0.1#953
May  7 09:49:08 localhost named[6389]: zone 0.in-addr.arpa/IN: loaded serial 42
May  7 09:49:08 localhost named[6389]: zone 0.0.127.in-addr.arpa/IN: loaded
serial 1997022700
May  7 09:49:08 localhost named[6389]: zone 255.in-addr.arpa/IN: loaded serial 42
May  7 09:49:08 localhost named[6389]: zone
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded
 serial 1997022700
May  7 09:49:08 localhost named[6389]: zone localdomain/IN: loaded serial 42
May  7 09:49:08 localhost named[6389]: zone localhost/IN: loaded serial 42
May  7 09:49:08 localhost named[6389]: zone fedora-ds.abartlet.net/IN: loaded
serial 2007042413
May  7 09:49:08 localhost named[6389]: zone ruth.abartlet.net/IN: loaded serial
2007042200
May  7 09:49:08 localhost named[6389]: zone samba4.abartlet.net/IN: loaded
serial 2007020100
May  7 09:49:08 localhost named[6389]: zone ruth.abartlet.net/IN: sending
notifies (serial 2007042200)
May  7 09:49:08 localhost named[6389]: zone samba4.abartlet.net/IN: sending
notifies (serial 2007020100)
May  7 09:49:08 localhost named[6389]: zone fedora-ds.abartlet.net/IN: sending
notifies (serial 2007042413)
May  7 09:49:08 localhost NetworkManager: <WARN>  add_ip4_config_to_named():
Could not set forwarders for zone '.'.  Error: '
Message did not receive a reply (timeout by message bus)'. 
May  7 09:28:07 localhost setroubleshoot:      SELinux is preventing
/usr/sbin/named (named_t) "getattr" to /dev/random (name
d_conf_t).      For complete SELinux messages. run sealert -l
fdc4b1e1-ecec-4a45-a2dc-04382a81b540
May  7 09:28:07 localhost setroubleshoot:      SELinux is preventing
/usr/sbin/named (named_t) "read" to random (named_conf_t
).      For complete SELinux messages. run sealert -l
946dc144-a5b9-416e-b7cf-a4305746d234
Comment 1 Adam Tkac 2007-05-07 13:02:01 EDT
Looks like your /usr/sbin/named of /dev/random is mislabeled. Try "restorecon
/usr/sbin/named && restorecon /dev/random" . On my up2date rawhide box named has
object_r:named_exec_t context instead your user_u:system_r:named_t. Also attach
output from "ls -Z /usr/sbin/named && ls -Z /dev/random".

Regards, Adam
Comment 2 Andrew Bartlett 2007-05-15 20:54:54 EDT
Firstly, the NetworkManager issues seem unrelated and resolved, so that was a
red herring.

On the SELinux issue, the issue remains identical.  I have restored the context
on both /dev/random and /usr/sbin/named.
Comment 3 Daniel Walsh 2007-05-21 13:19:00 EDT
Is this /dev/random or /var/named/chroot/dev/random?

Looks like the labeling got screwed up some how.

grep random /etc/selinux/targeted/contexts/files/file_contexts
/dev/hwrng      -c      system_u:object_r:random_device_t:s0
/dev/random     -c      system_u:object_r:random_device_t:s0
/dev/urandom    -c      system_u:object_r:urandom_device_t:s0
/dev/hw_random  -c      system_u:object_r:random_device_t:s0
/var/run/random-seed    --      system_u:object_r:initrc_var_run_t:s0
/var/named/chroot/dev/random    -c      system_u:object_r:random_device_t:s0

Should be random_device_t.
Comment 4 Adam Tkac 2007-05-21 13:42:26 EDT
If you're running bind in chroot, bind-chroot-admin script has a bug which
caused that chroot could be mislabeled. You could upcomming
http://people.redhat.com/atkac/bind/bind-9.3.4-4.5.fc6.src.rpm

Regards, A
Comment 5 Adam Tkac 2007-05-21 13:44:38 EDT
(In reply to comment #4)
> caused that chroot could be mislabeled. You could upcomming

You could try upcomming .. :)


Comment 6 Adam Tkac 2007-05-22 12:07:47 EDT
Could be fixed in bind-9.3.4-5.fc6

Note You need to log in before you can comment on or make changes to this bug.