Bug 965970 - Chowning /var/named with -R causes AVC denials upon named start and stop
Summary: Chowning /var/named with -R causes AVC denials upon named start and stop
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation
Version: 1.2.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Alex Dellapenta
QA Contact: ecs-bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-05-22 08:02 UTC by Jan Pazdziora
Modified: 2017-03-08 17:35 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-06-11 20:47:08 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Jan Pazdziora 2013-05-22 08:02:56 UTC
Description of problem:

I use script

https://raw.github.com/openshift/openshift-extras/enterprise-1.2/enterprise/install-scripts/generic/openshift.sh

to install and setup OpenShift. Part of the setup deals with bind and I've seen AVC denials in the logs. Upon minimizing the steps needed to trigger the AVC denials, possible scenario seems to be: create file /var/named/example.com.key and start and stop named.

Version-Release number of selected component (if applicable):

bind-9.8.2-0.17.rc1.el6.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. Have fresh RHEL 6.4, install named, start and stop the service, observe no AVC denials.
2. Run cat <<EOF > /var/named/example.com.key
key example.com {
  algorithm HMAC-MD5;
  secret "/CqpJiaetYjJm404sZ4yxW+gkERUXlTUMebpEhADhpWBFqF3/BJad6FwnQ26s7F5e4KgqQuLcpf+cyWUOgS6Gw==";
};
EOF
3. Run chown named:named -R /var/named ; restorecon -rv /var/named
3. Run service named start ; service named stop

Actual results:

During start

type=AVC msg=audit(1369208774.561:649): avc:  denied  { write } for  pid=51034 comm="named" name="named" dev=dm-0 ino=655545 scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir

and during stop

type=AVC msg=audit(1369208780.004:650): avc:  denied  { add_name } for  pid=51005 comm="named" name="tmp-vU5tcY2pO7" scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
type=AVC msg=audit(1369208780.004:650): avc:  denied  { create } for  pid=51005 comm="named" name="tmp-vU5tcY2pO7" scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:named_zone_t:s0 tclass=file
type=AVC msg=audit(1369208780.004:650): avc:  denied  { write } for  pid=51005 comm="named" name="tmp-vU5tcY2pO7" dev=dm-0 ino=655567 scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:named_zone_t:s0 tclass=file
type=AVC msg=audit(1369208780.005:651): avc:  denied  { remove_name } for  pid=51011 comm="named" name="tmp-83XPiFz8pp" dev=dm-0 ino=655572 scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
type=AVC msg=audit(1369208780.005:651): avc:  denied  { unlink } for  pid=51011 comm="named" name="tmp-83XPiFz8pp" dev=dm-0 ino=655572 scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:named_zone_t:s0 tclass=file

under permissive. In enforcing mode, only the first write AVC during start is logged.

Expected results:

No AVC denials.

Additional info:

I am aware of bug 545128 but note that I'm not setting slaves so I believe the named_write_master_zones does not apply. For the same reason I'm filing the bug against bind and not selinux-policy-targeted. Note that the (what appears to be) temporary file gets created and removed.

Upon subsequent start / stop, the AVC denial does not happen. However, if you remove the file and stop it again, it will happen again.

It is well possible that the key file should not be in this directory and that the openshift.sh script should be amended to put it elsewhere. In that case we'd appreciate hint about the correct configuration.

Comment 1 Tomáš Hozza 2013-05-22 10:54:41 UTC
The problem seems to be that you are changing the owner of /var/named
recursively. Owner of /var/named and some files in it should be "root".

# rpm -V bind
S.5....T.  c /etc/named.conf
.....U...    /var/named
.....U...  c /var/named/named.ca
.....U...  c /var/named/named.empty
.....U...  c /var/named/named.localhost
.....U...  c /var/named/named.loopback

So you should change only group using 'chgrp' or set owner:group only to
the file you created.

If you don't mind I would like to close this Bug as NOTABUG.

Comment 2 Jan Pazdziora 2013-05-22 12:01:27 UTC
(In reply to Tomas Hozza from comment #1)
> The problem seems to be that you are changing the owner of /var/named
> recursively. Owner of /var/named and some files in it should be "root".
> 
> # rpm -V bind
> S.5....T.  c /etc/named.conf
> .....U...    /var/named
> .....U...  c /var/named/named.ca
> .....U...  c /var/named/named.empty
> .....U...  c /var/named/named.localhost
> .....U...  c /var/named/named.loopback
> 
> So you should change only group using 'chgrp' or set owner:group only to
> the file you created.

Thank you very much for the investigation, Tomáš.

> If you don't mind I would like to close this Bug as NOTABUG.

Actually, what I will do is move the bug to the OpenShift Enterprise product.

It looks like

   https://raw.github.com/openshift/openshift-extras/enterprise-1.2/enterprise/install-scripts/generic/openshift.sh

shouldn't chown named:named -R /var/named the whole directory. Could the script be amended?

Comment 4 Jason DeTiberus 2013-05-22 14:09:47 UTC
https://github.com/openshift/openshift-extras/pull/21

Comment 5 Jason DeTiberus 2013-05-22 16:03:58 UTC
Fix has been merged for openshift-extras (install scripts)

https://github.com/openshift/puppet-openshift_origin/pull/64 submitted for puppet module.

Comment 6 Jan Pazdziora 2013-05-22 18:13:39 UTC
(In reply to Jason DeTiberus from comment #5)
> Fix has been merged for openshift-extras (install scripts)

I confirm that the fix 61a3ffd938e0097af79e815de9b3b1b4d5bf5672 addressed the AVC issue. Thanks!

Should I mark the bugzilla VERIFIED?

Comment 7 Jason DeTiberus 2013-05-22 19:31:54 UTC
(In reply to Jan Pazdziora from comment #6)
> (In reply to Jason DeTiberus from comment #5)
> > Fix has been merged for openshift-extras (install scripts)
> 
> I confirm that the fix 61a3ffd938e0097af79e815de9b3b1b4d5bf5672 addressed
> the AVC issue. Thanks!
> 
> Should I mark the bugzilla VERIFIED?

I would wait until after the puppet changes are merged, since it fixes the same behavior.

Comment 8 Brenton Leanhardt 2013-06-03 14:44:03 UTC
Can you check if this is referencing in our product documentation?  If so, we'll need to update it.

Comment 9 Jason DeTiberus 2013-06-03 16:47:29 UTC
https://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/1/html/Deployment_Guide/sect-OpenShift_Enterprise-Deployment_Guide-Configuring_BIND_and_DNS-Configuring_Sub_domain_Hostname_Resolution.html 

Procedure 5.4 Step 2 needs to be updated as follows:

>chown -Rv named:named /var/named

Should be changed to: 

>chgrp named -R /var/named
>chown named -R /var/named/dynamic

Comment 10 Brenton Leanhardt 2013-06-03 16:54:35 UTC
Alex, can you track this for the 1.2 documentation release?

Comment 11 Alex Dellapenta 2013-06-06 14:52:42 UTC
(In reply to Brenton Leanhardt from comment #10)
> Alex, can you track this for the 1.2 documentation release?

Will do.


Note You need to log in before you can comment on or make changes to this bug.