Bug 965970 - Chowning /var/named with -R causes AVC denials upon named start and stop
Chowning /var/named with -R causes AVC denials upon named start and stop
Status: CLOSED CURRENTRELEASE
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation (Show other bugs)
1.2.0
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Alex Dellapenta
ecs-bugs
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-22 04:02 EDT by Jan Pazdziora
Modified: 2017-03-08 12 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-06-11 16:47:08 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Pazdziora 2013-05-22 04:02:56 EDT
Description of problem:

I use script

https://raw.github.com/openshift/openshift-extras/enterprise-1.2/enterprise/install-scripts/generic/openshift.sh

to install and setup OpenShift. Part of the setup deals with bind and I've seen AVC denials in the logs. Upon minimizing the steps needed to trigger the AVC denials, possible scenario seems to be: create file /var/named/example.com.key and start and stop named.

Version-Release number of selected component (if applicable):

bind-9.8.2-0.17.rc1.el6.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. Have fresh RHEL 6.4, install named, start and stop the service, observe no AVC denials.
2. Run cat <<EOF > /var/named/example.com.key
key example.com {
  algorithm HMAC-MD5;
  secret "/CqpJiaetYjJm404sZ4yxW+gkERUXlTUMebpEhADhpWBFqF3/BJad6FwnQ26s7F5e4KgqQuLcpf+cyWUOgS6Gw==";
};
EOF
3. Run chown named:named -R /var/named ; restorecon -rv /var/named
3. Run service named start ; service named stop

Actual results:

During start

type=AVC msg=audit(1369208774.561:649): avc:  denied  { write } for  pid=51034 comm="named" name="named" dev=dm-0 ino=655545 scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir

and during stop

type=AVC msg=audit(1369208780.004:650): avc:  denied  { add_name } for  pid=51005 comm="named" name="tmp-vU5tcY2pO7" scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
type=AVC msg=audit(1369208780.004:650): avc:  denied  { create } for  pid=51005 comm="named" name="tmp-vU5tcY2pO7" scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:named_zone_t:s0 tclass=file
type=AVC msg=audit(1369208780.004:650): avc:  denied  { write } for  pid=51005 comm="named" name="tmp-vU5tcY2pO7" dev=dm-0 ino=655567 scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:named_zone_t:s0 tclass=file
type=AVC msg=audit(1369208780.005:651): avc:  denied  { remove_name } for  pid=51011 comm="named" name="tmp-83XPiFz8pp" dev=dm-0 ino=655572 scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
type=AVC msg=audit(1369208780.005:651): avc:  denied  { unlink } for  pid=51011 comm="named" name="tmp-83XPiFz8pp" dev=dm-0 ino=655572 scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:named_zone_t:s0 tclass=file

under permissive. In enforcing mode, only the first write AVC during start is logged.

Expected results:

No AVC denials.

Additional info:

I am aware of bug 545128 but note that I'm not setting slaves so I believe the named_write_master_zones does not apply. For the same reason I'm filing the bug against bind and not selinux-policy-targeted. Note that the (what appears to be) temporary file gets created and removed.

Upon subsequent start / stop, the AVC denial does not happen. However, if you remove the file and stop it again, it will happen again.

It is well possible that the key file should not be in this directory and that the openshift.sh script should be amended to put it elsewhere. In that case we'd appreciate hint about the correct configuration.
Comment 1 Tomáš Hozza 2013-05-22 06:54:41 EDT
The problem seems to be that you are changing the owner of /var/named
recursively. Owner of /var/named and some files in it should be "root".

# rpm -V bind
S.5....T.  c /etc/named.conf
.....U...    /var/named
.....U...  c /var/named/named.ca
.....U...  c /var/named/named.empty
.....U...  c /var/named/named.localhost
.....U...  c /var/named/named.loopback

So you should change only group using 'chgrp' or set owner:group only to
the file you created.

If you don't mind I would like to close this Bug as NOTABUG.
Comment 2 Jan Pazdziora 2013-05-22 08:01:27 EDT
(In reply to Tomas Hozza from comment #1)
> The problem seems to be that you are changing the owner of /var/named
> recursively. Owner of /var/named and some files in it should be "root".
> 
> # rpm -V bind
> S.5....T.  c /etc/named.conf
> .....U...    /var/named
> .....U...  c /var/named/named.ca
> .....U...  c /var/named/named.empty
> .....U...  c /var/named/named.localhost
> .....U...  c /var/named/named.loopback
> 
> So you should change only group using 'chgrp' or set owner:group only to
> the file you created.

Thank you very much for the investigation, Tomáš.

> If you don't mind I would like to close this Bug as NOTABUG.

Actually, what I will do is move the bug to the OpenShift Enterprise product.

It looks like

   https://raw.github.com/openshift/openshift-extras/enterprise-1.2/enterprise/install-scripts/generic/openshift.sh

shouldn't chown named:named -R /var/named the whole directory. Could the script be amended?
Comment 4 Jason DeTiberus 2013-05-22 10:09:47 EDT
https://github.com/openshift/openshift-extras/pull/21
Comment 5 Jason DeTiberus 2013-05-22 12:03:58 EDT
Fix has been merged for openshift-extras (install scripts)

https://github.com/openshift/puppet-openshift_origin/pull/64 submitted for puppet module.
Comment 6 Jan Pazdziora 2013-05-22 14:13:39 EDT
(In reply to Jason DeTiberus from comment #5)
> Fix has been merged for openshift-extras (install scripts)

I confirm that the fix 61a3ffd938e0097af79e815de9b3b1b4d5bf5672 addressed the AVC issue. Thanks!

Should I mark the bugzilla VERIFIED?
Comment 7 Jason DeTiberus 2013-05-22 15:31:54 EDT
(In reply to Jan Pazdziora from comment #6)
> (In reply to Jason DeTiberus from comment #5)
> > Fix has been merged for openshift-extras (install scripts)
> 
> I confirm that the fix 61a3ffd938e0097af79e815de9b3b1b4d5bf5672 addressed
> the AVC issue. Thanks!
> 
> Should I mark the bugzilla VERIFIED?

I would wait until after the puppet changes are merged, since it fixes the same behavior.
Comment 8 Brenton Leanhardt 2013-06-03 10:44:03 EDT
Can you check if this is referencing in our product documentation?  If so, we'll need to update it.
Comment 9 Jason DeTiberus 2013-06-03 12:47:29 EDT
https://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/1/html/Deployment_Guide/sect-OpenShift_Enterprise-Deployment_Guide-Configuring_BIND_and_DNS-Configuring_Sub_domain_Hostname_Resolution.html 

Procedure 5.4 Step 2 needs to be updated as follows:

>chown -Rv named:named /var/named

Should be changed to: 

>chgrp named -R /var/named
>chown named -R /var/named/dynamic
Comment 10 Brenton Leanhardt 2013-06-03 12:54:35 EDT
Alex, can you track this for the 1.2 documentation release?
Comment 11 Alex Dellapenta 2013-06-06 10:52:42 EDT
(In reply to Brenton Leanhardt from comment #10)
> Alex, can you track this for the 1.2 documentation release?

Will do.

Note You need to log in before you can comment on or make changes to this bug.