Bug 891008 - SELinux is preventing /usr/sbin/unbound from write access on the directory /etc/unbound.
SELinux is preventing /usr/sbin/unbound from write access on the directory /e...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: unbound (Show other bugs)
18
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Paul Wouters
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-12-31 13:10 EST by Niki Guldbrand
Modified: 2014-09-13 14:59 EDT (History)
9 users (show)

See Also:
Fixed In Version: unbound-1.4.21-1.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-06-11 05:07:11 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Niki Guldbrand 2012-12-31 13:10:26 EST
Description of problem:
I have enabled the auto-trust-anchor-file option in unbound.conf,
which makes unbound handling the update of the /etc/unbound/root.key
file by it self.

Version-Release number of selected component (if applicable):
selinux-policy-3.11.1-66.fc18.noarch

How reproducible:
Always.

Steps to Reproduce:
1. enable the auto-trust-anchor-file option in unbound.conf with the
   default option.
2. initiate the file with the unbound-anchor command
3. set permissions, chmod/own, and restorecon
  
Actual results:
Unbound is prevented from updating this file.

SELinux is preventing /usr/sbin/unbound from write access on the directory /etc/unbound.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that unbound should be allowed write access on the unbound directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep unbound /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:named_t:s0
Target Context                system_u:object_r:named_conf_t:s0
Target Objects                /etc/unbound [ dir ]
Source                        unbound
Source Path                   /usr/sbin/unbound
Port                          <Unknown>
Host                          ipa
Source RPM Packages           unbound-1.4.18-5.fc18.i686
Target RPM Packages           unbound-1.4.18-5.fc18.i686
Policy RPM                    selinux-policy-3.11.1-66.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ipa
Platform                      Linux ipa 3.6.10-4.fc18.i686.PAE #1 SMP Tue Dec 11
                              18:15:08 UTC 2012 i686 i686
Alert Count                   1
First Seen                    2012-12-31 17:48:29 CET
Last Seen                     2012-12-31 17:48:29 CET
Local ID                      d64824bf-8a23-46fe-bcd8-71a9608439e2

Raw Audit Messages
type=AVC msg=audit(1356972509.390:43): avc:  denied  { write } for  pid=562 comm="unbound" name="unbound" dev="dm-1" ino=2622862 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_conf_t:s0 tclass=dir


type=SYSCALL msg=audit(1356972509.390:43): arch=i386 syscall=open success=no exit=EACCES a0=b76aa39c a1=8241 a2=1b6 a3=b6789728 items=0 ppid=1 pid=562 auid=4294967295 uid=997 gid=997 euid=997 suid=997 fsuid=997 egid=997 sgid=997 fsgid=997 tty=(none) ses=4294967295 comm=unbound exe=/usr/sbin/unbound subj=system_u:system_r:named_t:s0 key=(null)

Hash: unbound,named_t,named_conf_t,dir,write

audit2allow

#============= named_t ==============
#!!!! The source type 'named_t' can write to a 'dir' of the following types:
# tmp_t, named_cache_t, var_log_t, named_var_run_t, named_log_t, var_run_t, named_tmp_t, krb5_host_rcache_t

allow named_t named_conf_t:dir write;

audit2allow -R

#============= named_t ==============
#!!!! The source type 'named_t' can write to a 'dir' of the following types:
# tmp_t, named_cache_t, var_log_t, named_var_run_t, named_log_t, var_run_t, named_tmp_t, krb5_host_rcache_t

allow named_t named_conf_t:dir write;

Expected results:
That unbound is allowed to modify (add/remove content in it) the 
/etc/unbound/root.key file.

Additional info:
Comment 1 Miroslav Grepl 2013-01-02 07:49:34 EST
So unbound is supposed to write the key with this option?
Comment 2 Daniel Walsh 2013-01-02 14:22:28 EST
Is there a better location for this file?
Comment 3 Niki Guldbrand 2013-01-03 01:45:39 EST
from the unbound.conf(8) man page:

auto-trust-anchor-file: <filename>
              File  with  trust  anchor  for  one  zone, which is tracked with
              RFC5011 probes.  The probes are several times  per  month,  thus
              the  machine must be online frequently.  The initial file can be
              one with contents as described in trust-anchor-file.   The  file
              is  written  to  when the anchor is updated, so the unbound user
              must have write permission.

There is also some additional info here: http://unbound.net/documentation/howto_anchor.html

Basically, It needs to update this file with timestamps and new/updated keys during runtime (requires write permission).

But the location dont have to be in /etc/unbound, could be something like /var/lib/unbound or something similar, but I guess the default config shipped in the rpm should be updated to reflect this.
Comment 4 Miroslav Grepl 2013-01-03 02:08:13 EST
Yes, we are looking for better location.
Comment 5 Adam Tkac 2013-01-03 05:58:17 EST
/var/lib/unbound location looks good for me and we can create /etc/unbound/unbound.conf symlink. However this requires change of SELinux policy because /var/lib/unbound has currently var_lib_t label which is not writable by named_t:

matchpathcon /var/lib/unbound
/var/lib/unbound	system_u:object_r:var_lib_t:s0

Paul, is it acceptable for you to move the root.key into /var/lib/unbound and create /etc/unbound/root.key symlink?
Comment 6 Paul Wouters 2013-01-04 18:19:41 EST
Yes, I'll change it to /var/lib/unbound
Comment 7 Miroslav Grepl 2013-01-07 05:32:23 EST
Added fixes to f18.

Fixed in selinux-policy-3.11.1-70.fc18
Comment 8 Paul Wouters 2013-04-11 11:55:19 EDT
*** Bug 896599 has been marked as a duplicate of this bug. ***
Comment 9 Fedora Update System 2013-04-16 12:58:46 EDT
unbound-1.4.20-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/unbound-1.4.20-1.el6
Comment 10 Fedora Update System 2013-04-16 23:04:48 EDT
unbound-1.4.20-6.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/unbound-1.4.20-6.fc19
Comment 11 Fedora Update System 2013-04-17 00:24:18 EDT
unbound-1.4.20-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/unbound-1.4.20-1.fc18
Comment 12 Fedora Update System 2013-04-17 12:26:38 EDT
Package unbound-1.4.20-6.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing unbound-1.4.20-6.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-5889/unbound-1.4.20-6.fc19
then log in and leave karma (feedback).
Comment 13 Fedora Update System 2013-04-19 11:01:23 EDT
unbound-1.4.20-7.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/unbound-1.4.20-7.fc19
Comment 14 Jared Smith 2013-04-27 21:17:02 EDT
Description of problem:
I logged into Gnome Shell, and noticed this SELinux alert.

Additional info:
hashmarkername: setroubleshoot
kernel:         3.8.9-200.fc18.x86_64
type:           libreport
Comment 15 Moez Roy 2013-05-04 19:21:53 EDT
I was already on Updates testing on F18 and I got this:

SELinux is preventing /usr/sbin/unbound-anchor from 'write' accesses on the directory unbound.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that unbound-anchor should be allowed write access on the unbound directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep unbound-anchor /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:named_t:s0
Target Context                system_u:object_r:named_conf_t:s0
Target Objects                unbound [ dir ]
Source                        unbound-anchor
Source Path                   /usr/sbin/unbound-anchor
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           unbound-libs-1.4.19-1.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-92.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.8.11-200.fc18.x86_64 #1 SMP Wed
                              May 1 19:44:27 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-05-04 15:32:00 PDT
Last Seen                     2013-05-04 15:32:00 PDT
Local ID                      0edbda95-c53a-4a2d-b809-b0d7f0c65a80

Raw Audit Messages
type=AVC msg=audit(1367706720.731:260): avc:  denied  { write } for  pid=1136 comm="unbound-anchor" name="unbound" dev="dm-0" ino=3016666 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_conf_t:s0 tclass=dir


type=SYSCALL msg=audit(1367706720.731:260): arch=x86_64 syscall=open success=no exit=EACCES a0=7fff76bfa890 a1=241 a2=1b6 a3=238 items=0 ppid=1 pid=1136 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=unbound-anchor exe=/usr/sbin/unbound-anchor subj=system_u:system_r:named_t:s0 key=(null)

Hash: unbound-anchor,named_t,named_conf_t,dir,write

audit2allow

#============= named_t ==============
allow named_t named_conf_t:dir write;

audit2allow -R
require {
	type named_t;
}

#============= named_t ==============
bind_manage_config_dirs(named_t)
Comment 16 Moez Roy 2013-05-04 19:26:54 EDT
https://admin.fedoraproject.org/updates/FEDORA-2013-5953/unbound-1.4.20-1.fc18

pwouters - 2013-04-19 14:19:12
This update has been unpushed
Comment 17 Moez Roy 2013-05-17 11:59:32 EDT
@Paul Wouters:

Is there a reason why the update was unpushed?
Comment 18 Paul Wouters 2013-05-17 12:38:17 EDT
Yes, the unbound-anchor call had bad arguments in the systemd service file preventing unbound from starting up at all.

I'll pick the unbound release up today with new packages, sorry for the delay
Comment 19 Fedora Update System 2013-06-01 00:07:43 EDT
unbound-1.4.20-3.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/unbound-1.4.20-3.fc18
Comment 20 Fedora Update System 2013-06-11 05:07:11 EDT
unbound-1.4.20-3.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 21 Fedora Update System 2013-09-19 13:17:48 EDT
unbound-1.4.21-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/unbound-1.4.21-1.el6
Comment 22 Fedora Update System 2013-10-10 14:33:22 EDT
unbound-1.4.21-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 23 Brian Marsden 2013-10-18 14:37:56 EDT
No joy with unbound-1.4.21-1.el6 from the Fedora EPEL 6 stable repository:

setroubleshoot: SELinux is preventing /usr/sbin/unbound from create access on the file root.anchor.12509-0

Extra info:

type=AVC msg=audit(1382120640.245:24001): avc:  denied  { create } for  pid=12509 comm="unbound" name="root.anchor.12509-0" scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:named_conf_t:s0 tclass=file

type=SYSCALL msg=audit(1382120640.245:24001): arch=c000003e syscall=2 success=no exit=-13 a0=7fff3f6906c0 a1=241 a2=1b6 a3=0 items=0 ppid=1 pid=12509 auid=400 uid=399 gid=498 euid=399 suid=399 fsuid=399 egid=498 sgid=498 fsgid=498 tty=(none) ses=3 comm="unbound" exe="/usr/sbin/unbound" subj=unconfined_u:system_r:named_t:s0 key=(null)

Note You need to log in before you can comment on or make changes to this bug.