Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1210250 - SELinux is preventing /usr/sbin/dnssec-triggerd from write access on the directory /etc.
Summary: SELinux is preventing /usr/sbin/dnssec-triggerd from write access on the dire...
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 22
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1200996 1215376 (view as bug list)
Depends On:
Blocks: dnssec Default_Local_DNS_Resolver
TreeView+ depends on / blocked
 
Reported: 2015-04-09 09:44 UTC by Tomáš Hozza
Modified: 2015-07-20 08:11 UTC (History)
9 users (show)

Fixed In Version: selinux-policy-3.13.1-122.fc22
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-07-20 08:11:16 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Tomáš Hozza 2015-04-09 09:44:30 UTC
Description of problem:
SELinux is preventing /usr/sbin/dnssec-triggerd from write access on the directory /etc.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow dnssec-triggerd to have write access on the etc directory
Then you need to change the label on /etc
Do
# semanage fcontext -a -t FILE_TYPE '/etc'
where FILE_TYPE is one of the following: dnssec_trigger_var_run_t, net_conf_t, var_run_t. 
Then execute: 
restorecon -v '/etc'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that dnssec-triggerd should be allowed write access on the etc directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep dnssec-triggerd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:dnssec_trigger_t:s0
Target Context                system_u:object_r:etc_t:s0
Target Objects                /etc [ dir ]
Source                        dnssec-triggerd
Source Path                   /usr/sbin/dnssec-triggerd
Port                          <Unknown>
Host                          thozza-pc
Source RPM Packages           dnssec-trigger-0.12-19.fc21.x86_64
Target RPM Packages           filesystem-3.2-28.fc21.x86_64
Policy RPM                    selinux-policy-3.13.1-105.9.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     thozza-pc
Platform                      Linux thozza-pc 3.19.3-200.fc21.x86_64 #1 SMP Thu
                              Mar 26 21:39:42 UTC 2015 x86_64 x86_64
Alert Count                   165
First Seen                    2015-02-16 08:57:01 CET
Last Seen                     2015-04-09 08:51:44 CEST
Local ID                      5f809d20-9dc6-4edc-81f3-6199f4afba16

Raw Audit Messages
type=AVC msg=audit(1428562304.184:412): avc:  denied  { write } for  pid=1363 comm="dnssec-triggerd" name="etc" dev="dm-0" ino=3145729 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0


type=SYSCALL msg=audit(1428562304.184:412): arch=x86_64 syscall=open success=no exit=EACCES a0=7fadc6fc2480 a1=241 a2=1b6 a3=241 items=0 ppid=1 pid=1363 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=dnssec-triggerd exe=/usr/sbin/dnssec-triggerd subj=system_u:system_r:dnssec_trigger_t:s0 key=(null)

Hash: dnssec-triggerd,dnssec_trigger_t,etc_t,dir,write


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-105.9.fc21.noarch

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:
My system ends up without /etc/resolv.conf because dnssec-triggerd is not able to write it into /etc. libvirt dnsmasq instance is not able to provide DNS service to VMs as a consequence of this issue.

Expected results:
SELinux should finally allow dnssec-trigger to write /etc/resolv.conf!!!

Additional info:

Comment 1 Miroslav Grepl 2015-04-09 15:27:49 UTC
Tomas,
could you collect AVC msgs also from permissive mode?

Comment 2 Lukas Vrabec 2015-04-09 19:55:09 UTC
commit 06005bc0ac9370f93ba99e44d478e9930f3896c1
Author: Lukas Vrabec <lvrabec>
Date:   Thu Apr 9 21:06:09 2015 +0200

    Allow dnssec_trigger_t to stream connect to networkmanager.

commit 2c3a0d6d02474851e2ffd711ae8fd5176003624e
Author: Lukas Vrabec <lvrabec>
Date:   Thu Apr 9 19:35:47 2015 +0200

    Allow dnssec_trigger_t to create resolv files labeled as net_conf_t

commit cfb2997e16f7106c916c903d4aac2aa9102ba7bf
Author: Lukas Vrabec <lvrabec>
Date:   Thu Apr 9 17:57:43 2015 +0200

    Label new dnssec-trigger files.

Comment 3 Lukas Vrabec 2015-04-09 20:01:34 UTC
Tomas, 
There is one more AVC. 
type=AVC msg=audit(1428608873.655:903): avc:  denied  { read } for  pid=31681 comm="dnssec-trigger-" name="/" dev="tmpfs" ino=14649 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1

Could I dontaudit this? 

Thank you.

Comment 4 Miroslav Grepl 2015-04-10 09:30:57 UTC
It comes from dnsseec-trigger-script

..
..
..
stat("/etc/utmp", 0x7ffd9f0e07e0)       = -1 ENOENT (No such file or directory)
stat("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=600, ...}) = 0
open("/tmp", O_RDONLY)                  = 7
read(7, 0x7ffd9f0e0870, 8192)           = -1 EISDIR (Is a directory)
close(7)                                = 0
stat("/var/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=4096, ...}) = 0
open("/var/tmp", O_RDONLY)              = 7
read(7, 0x7ffd9f0e0870, 8192)           = -1 EISDIR (Is a directory)
close(7)                                = 0
stat("/usr/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=4096, ...}) = 0
open("/usr/tmp", O_RDONLY)

Comment 7 Tomáš Hozza 2015-07-14 09:11:42 UTC
(In reply to Lukas Vrabec from comment #3)
> Tomas, 
> There is one more AVC. 
> type=AVC msg=audit(1428608873.655:903): avc:  denied  { read } for 
> pid=31681 comm="dnssec-trigger-" name="/" dev="tmpfs" ino=14649
> scontext=system_u:system_r:dnssec_trigger_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1
> 
> Could I dontaudit this? 
> 
> Thank you.

I think it is not needed. With the recent changes in dnssec-trigger-script and with selinux-policy-3.13.1-128.4.fc22.noarch I'm not seeing any issues related to this.

Can we then take this bug as fixed and close it?

Comment 8 Tomáš Hozza 2015-07-15 13:18:51 UTC
*** Bug 1200996 has been marked as a duplicate of this bug. ***

Comment 9 Tomáš Hozza 2015-07-15 13:24:50 UTC
*** Bug 1215376 has been marked as a duplicate of this bug. ***

Comment 10 Lukas Vrabec 2015-07-20 08:11:16 UTC
yes. 
Closing for now.


Note You need to log in before you can comment on or make changes to this bug.