Description of problem: I have enabled the auto-trust-anchor-file option in unbound.conf, which makes unbound handling the update of the /etc/unbound/root.key file by it self. Version-Release number of selected component (if applicable): selinux-policy-3.11.1-66.fc18.noarch How reproducible: Always. Steps to Reproduce: 1. enable the auto-trust-anchor-file option in unbound.conf with the default option. 2. initiate the file with the unbound-anchor command 3. set permissions, chmod/own, and restorecon Actual results: Unbound is prevented from updating this file. SELinux is preventing /usr/sbin/unbound from write access on the directory /etc/unbound. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that unbound should be allowed write access on the unbound directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep unbound /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:named_t:s0 Target Context system_u:object_r:named_conf_t:s0 Target Objects /etc/unbound [ dir ] Source unbound Source Path /usr/sbin/unbound Port <Unknown> Host ipa Source RPM Packages unbound-1.4.18-5.fc18.i686 Target RPM Packages unbound-1.4.18-5.fc18.i686 Policy RPM selinux-policy-3.11.1-66.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name ipa Platform Linux ipa 3.6.10-4.fc18.i686.PAE #1 SMP Tue Dec 11 18:15:08 UTC 2012 i686 i686 Alert Count 1 First Seen 2012-12-31 17:48:29 CET Last Seen 2012-12-31 17:48:29 CET Local ID d64824bf-8a23-46fe-bcd8-71a9608439e2 Raw Audit Messages type=AVC msg=audit(1356972509.390:43): avc: denied { write } for pid=562 comm="unbound" name="unbound" dev="dm-1" ino=2622862 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_conf_t:s0 tclass=dir type=SYSCALL msg=audit(1356972509.390:43): arch=i386 syscall=open success=no exit=EACCES a0=b76aa39c a1=8241 a2=1b6 a3=b6789728 items=0 ppid=1 pid=562 auid=4294967295 uid=997 gid=997 euid=997 suid=997 fsuid=997 egid=997 sgid=997 fsgid=997 tty=(none) ses=4294967295 comm=unbound exe=/usr/sbin/unbound subj=system_u:system_r:named_t:s0 key=(null) Hash: unbound,named_t,named_conf_t,dir,write audit2allow #============= named_t ============== #!!!! The source type 'named_t' can write to a 'dir' of the following types: # tmp_t, named_cache_t, var_log_t, named_var_run_t, named_log_t, var_run_t, named_tmp_t, krb5_host_rcache_t allow named_t named_conf_t:dir write; audit2allow -R #============= named_t ============== #!!!! The source type 'named_t' can write to a 'dir' of the following types: # tmp_t, named_cache_t, var_log_t, named_var_run_t, named_log_t, var_run_t, named_tmp_t, krb5_host_rcache_t allow named_t named_conf_t:dir write; Expected results: That unbound is allowed to modify (add/remove content in it) the /etc/unbound/root.key file. Additional info:
So unbound is supposed to write the key with this option?
Is there a better location for this file?
from the unbound.conf(8) man page: auto-trust-anchor-file: <filename> File with trust anchor for one zone, which is tracked with RFC5011 probes. The probes are several times per month, thus the machine must be online frequently. The initial file can be one with contents as described in trust-anchor-file. The file is written to when the anchor is updated, so the unbound user must have write permission. There is also some additional info here: http://unbound.net/documentation/howto_anchor.html Basically, It needs to update this file with timestamps and new/updated keys during runtime (requires write permission). But the location dont have to be in /etc/unbound, could be something like /var/lib/unbound or something similar, but I guess the default config shipped in the rpm should be updated to reflect this.
Yes, we are looking for better location.
/var/lib/unbound location looks good for me and we can create /etc/unbound/unbound.conf symlink. However this requires change of SELinux policy because /var/lib/unbound has currently var_lib_t label which is not writable by named_t: matchpathcon /var/lib/unbound /var/lib/unbound system_u:object_r:var_lib_t:s0 Paul, is it acceptable for you to move the root.key into /var/lib/unbound and create /etc/unbound/root.key symlink?
Yes, I'll change it to /var/lib/unbound
Added fixes to f18. Fixed in selinux-policy-3.11.1-70.fc18
*** Bug 896599 has been marked as a duplicate of this bug. ***
unbound-1.4.20-1.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/unbound-1.4.20-1.el6
unbound-1.4.20-6.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/unbound-1.4.20-6.fc19
unbound-1.4.20-1.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/unbound-1.4.20-1.fc18
Package unbound-1.4.20-6.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing unbound-1.4.20-6.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-5889/unbound-1.4.20-6.fc19 then log in and leave karma (feedback).
unbound-1.4.20-7.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/unbound-1.4.20-7.fc19
Description of problem: I logged into Gnome Shell, and noticed this SELinux alert. Additional info: hashmarkername: setroubleshoot kernel: 3.8.9-200.fc18.x86_64 type: libreport
I was already on Updates testing on F18 and I got this: SELinux is preventing /usr/sbin/unbound-anchor from 'write' accesses on the directory unbound. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that unbound-anchor should be allowed write access on the unbound directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep unbound-anchor /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:named_t:s0 Target Context system_u:object_r:named_conf_t:s0 Target Objects unbound [ dir ] Source unbound-anchor Source Path /usr/sbin/unbound-anchor Port <Unknown> Host (removed) Source RPM Packages unbound-libs-1.4.19-1.fc18.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-92.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.8.11-200.fc18.x86_64 #1 SMP Wed May 1 19:44:27 UTC 2013 x86_64 x86_64 Alert Count 1 First Seen 2013-05-04 15:32:00 PDT Last Seen 2013-05-04 15:32:00 PDT Local ID 0edbda95-c53a-4a2d-b809-b0d7f0c65a80 Raw Audit Messages type=AVC msg=audit(1367706720.731:260): avc: denied { write } for pid=1136 comm="unbound-anchor" name="unbound" dev="dm-0" ino=3016666 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_conf_t:s0 tclass=dir type=SYSCALL msg=audit(1367706720.731:260): arch=x86_64 syscall=open success=no exit=EACCES a0=7fff76bfa890 a1=241 a2=1b6 a3=238 items=0 ppid=1 pid=1136 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=unbound-anchor exe=/usr/sbin/unbound-anchor subj=system_u:system_r:named_t:s0 key=(null) Hash: unbound-anchor,named_t,named_conf_t,dir,write audit2allow #============= named_t ============== allow named_t named_conf_t:dir write; audit2allow -R require { type named_t; } #============= named_t ============== bind_manage_config_dirs(named_t)
https://admin.fedoraproject.org/updates/FEDORA-2013-5953/unbound-1.4.20-1.fc18 pwouters - 2013-04-19 14:19:12 This update has been unpushed
@Paul Wouters: Is there a reason why the update was unpushed?
Yes, the unbound-anchor call had bad arguments in the systemd service file preventing unbound from starting up at all. I'll pick the unbound release up today with new packages, sorry for the delay
unbound-1.4.20-3.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/unbound-1.4.20-3.fc18
unbound-1.4.20-3.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
unbound-1.4.21-1.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/unbound-1.4.21-1.el6
unbound-1.4.21-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
No joy with unbound-1.4.21-1.el6 from the Fedora EPEL 6 stable repository: setroubleshoot: SELinux is preventing /usr/sbin/unbound from create access on the file root.anchor.12509-0 Extra info: type=AVC msg=audit(1382120640.245:24001): avc: denied { create } for pid=12509 comm="unbound" name="root.anchor.12509-0" scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:named_conf_t:s0 tclass=file type=SYSCALL msg=audit(1382120640.245:24001): arch=c000003e syscall=2 success=no exit=-13 a0=7fff3f6906c0 a1=241 a2=1b6 a3=0 items=0 ppid=1 pid=12509 auid=400 uid=399 gid=498 euid=399 suid=399 fsuid=399 egid=498 sgid=498 fsgid=498 tty=(none) ses=3 comm="unbound" exe="/usr/sbin/unbound" subj=unconfined_u:system_r:named_t:s0 key=(null)