Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1236363 - A couple of suggestions / comments
Summary: A couple of suggestions / comments
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: dnssec-trigger
Version: 23
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Tomáš Hozza
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: Default_Local_DNS_Resolver
TreeView+ depends on / blocked
 
Reported: 2015-06-28 09:24 UTC by dac.override
Modified: 2015-07-30 01:12 UTC (History)
5 users (show)

Fixed In Version: dnssec-trigger-0.13-0.1.20150714svn.fc22
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-07-30 01:12:35 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description dac.override 2015-06-28 09:24:10 UTC
Description of problem:

As per the Fedora 23 dnssec feature page i set up to try it. (i maintain a personalized SELinux policy, and i wanted that policy to support the dnssec-trigger feature)

1. the dnssec-trigger "control setup" service unit calls the restorecon command to reset /etc/dnssec-trigger security contexts.

    * Why is that? This should not be needed. This would just hide policy issues. It also sets a less than optimal precedent in that I would not want to have random sevice units calling restorecon out of lazyness or misunderstandings. Can we please remove that and then if there are issues with labeling of /etc/dnssec-trigger, fix those issues in the appropriate component (selinux-policy)

   (BTW this also applies to the unbound "control setup" service unit)

2. The dnssec-triggerd service maintain a pid file in /run. Please consider to extend the dnssec-triggerd service unit to support this pid file with "PidFile=". This should ensure that the pidfile is deleted in case of an unclean shutdown of the triggerd service.

   (BTW this also, to some extend, applies to the unbound service unit, with the exception that unbound does not maintain its pidfile in /run but instead /run/unbound. Maybe consider placing that pid file in /run as well to stay consistent with triggerd?)

3. The dnssec-trigger script sets the Linux immutable bit on, i suspect, /etc/resolv.conf. Is there not a more elegant way to ensure integrity of that file?

4. the dnssec-trigger script runs restorecon on /run/dnssec-trigger/resolve.conf.backup.

    * Why is that? This should not be needed and is not desired. SELinux should be transparent to the user space. This would just hide policy issues. It also sets a less than optimal precedence in that I wouldnt want random services to resort to running restorecon out of lazyness of misunderstandings. Can we remove that so that any labeling issues can be resolved in the appropriate component instead (selinux-policy)

    This actually seems to break functionality because:

       If i block attempts by trigger-script to relabel /run/dnssec-trigger/resolv.conf.backup, then trigger-script logs an error/warning saying that it was not able to create the backup.

       I' am not sure if that message is accurate but i do not really see how this should block a backup.

Version-Release number of selected component (if applicable):
rawhide

Additional info:

Other than the comments/suggestions above it looks pretty good to me. Although you may want to consider splitting out dnssec-trigger-applet. (Some of use do not support applets, so having that component installed is inefficient)

These are just suggestions. take it or leave it obviously.

Comment 1 dac.override 2015-06-28 17:08:36 UTC
By the way, Not sure if it is just me but on my system triggerd/unbound is not resolving anything when i resume from suspend.

On my system i worked around that by creating a dnssec-triggerd_resume.service of type one shot that is wanted by sleep.target and really just runs systemctl restart dnssec-triggerd.service

Comment 2 dac.override 2015-06-28 17:18:59 UTC
Above may or may not be related to the fact that i tested this on a system that only has a usb network (e.g. usb wireless wlan). wpa_supplicant also behaves a little weird on that system due to that.

Comment 3 Tomáš Hozza 2015-07-15 07:53:19 UTC
(In reply to dac.override from comment #0)
> Description of problem:
> 
> As per the Fedora 23 dnssec feature page i set up to try it. (i maintain a
> personalized SELinux policy, and i wanted that policy to support the
> dnssec-trigger feature)
> 
> 1. the dnssec-trigger "control setup" service unit calls the restorecon
> command to reset /etc/dnssec-trigger security contexts.
> 
>     * Why is that? This should not be needed. This would just hide policy
> issues. It also sets a less than optimal precedent in that I would not want
> to have random sevice units calling restorecon out of lazyness or
> misunderstandings. Can we please remove that and then if there are issues
> with labeling of /etc/dnssec-trigger, fix those issues in the appropriate
> component (selinux-policy)
> 
>    (BTW this also applies to the unbound "control setup" service unit)

removed...

> 2. The dnssec-triggerd service maintain a pid file in /run. Please consider
> to extend the dnssec-triggerd service unit to support this pid file with
> "PidFile=". This should ensure that the pidfile is deleted in case of an
> unclean shutdown of the triggerd service.

ok, added...

>    (BTW this also, to some extend, applies to the unbound service unit, with
> the exception that unbound does not maintain its pidfile in /run but instead
> /run/unbound. Maybe consider placing that pid file in /run as well to stay
> consistent with triggerd?)
> 
> 3. The dnssec-trigger script sets the Linux immutable bit on, i suspect,
> /etc/resolv.conf. Is there not a more elegant way to ensure integrity of
> that file?

No there is not. We are open to suggestions. There are plenty services that are trying to modify resolv.conf. Unfortunately we don't have any better way.

> 4. the dnssec-trigger script runs restorecon on
> /run/dnssec-trigger/resolve.conf.backup.
> 
>     * Why is that? This should not be needed and is not desired. SELinux
> should be transparent to the user space. This would just hide policy issues.
> It also sets a less than optimal precedence in that I wouldnt want random
> services to resort to running restorecon out of lazyness of
> misunderstandings. Can we remove that so that any labeling issues can be
> resolved in the appropriate component instead (selinux-policy)

I don't see it anywhere in the code.

>     This actually seems to break functionality because:
> 
>        If i block attempts by trigger-script to relabel
> /run/dnssec-trigger/resolv.conf.backup, then trigger-script logs an
> error/warning saying that it was not able to create the backup.
> 
>        I' am not sure if that message is accurate but i do not really see
> how this should block a backup.
> 
> Version-Release number of selected component (if applicable):
> rawhide
> 
> Additional info:
> 
> Other than the comments/suggestions above it looks pretty good to me.
> Although you may want to consider splitting out dnssec-trigger-applet. (Some
> of use do not support applets, so having that component installed is
> inefficient)

Yes, splitting the dnssec-trigger-panel into sub-package seems like a good idea. Also because GNOME folks don't seem to like panels :)

> These are just suggestions. take it or leave it obviously.


Please file separate report for unbound if possible.

Thanks!

Comment 4 Fedora Update System 2015-07-15 13:01:03 UTC
dnssec-trigger-0.13-0.1.20150714svn.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/dnssec-trigger-0.13-0.1.20150714svn.fc22

Comment 5 Jan Kurik 2015-07-15 13:53:58 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle.
Changing version to '23'.

(As we did not run this process for some time, it could affect also pre-Fedora 23 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23

Comment 6 Fedora Update System 2015-07-18 02:06:20 UTC
Package dnssec-trigger-0.13-0.1.20150714svn.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing dnssec-trigger-0.13-0.1.20150714svn.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-11754/dnssec-trigger-0.13-0.1.20150714svn.fc22
then log in and leave karma (feedback).

Comment 7 dac.override 2015-07-18 17:29:35 UTC
(In reply to Tomas Hozza from comment #3)


> > 4. the dnssec-trigger script runs restorecon on
> > /run/dnssec-trigger/resolve.conf.backup.
> > 
> >     * Why is that? This should not be needed and is not desired. SELinux
> > should be transparent to the user space. This would just hide policy issues.
> > It also sets a less than optimal precedence in that I wouldnt want random
> > services to resort to running restorecon out of lazyness of
> > misunderstandings. Can we remove that so that any labeling issues can be
> > resolved in the appropriate component instead (selinux-policy)
> 
> I don't see it anywhere in the code.

Does it "mv" /etc/resolv.conf /run/dnssec-trigger/resolve.conf.backup and then later restorecon /run/dnssec-trigger or somthing? I am pretty sure there is some relabeling going on that should not be.

Comment 8 Tomáš Hozza 2015-07-20 09:05:50 UTC
(In reply to dac.override from comment #7)
> (In reply to Tomas Hozza from comment #3)
> 
> 
> > > 4. the dnssec-trigger script runs restorecon on
> > > /run/dnssec-trigger/resolve.conf.backup.
> > > 
> > >     * Why is that? This should not be needed and is not desired. SELinux
> > > should be transparent to the user space. This would just hide policy issues.
> > > It also sets a less than optimal precedence in that I wouldnt want random
> > > services to resort to running restorecon out of lazyness of
> > > misunderstandings. Can we remove that so that any labeling issues can be
> > > resolved in the appropriate component instead (selinux-policy)
> > 
> > I don't see it anywhere in the code.
> 
> Does it "mv" /etc/resolv.conf /run/dnssec-trigger/resolve.conf.backup and
> then later restorecon /run/dnssec-trigger or somthing? I am pretty sure
> there is some relabeling going on that should not be.

No, it' not. I investigated the package thoroughly. Feel free to download the SRPM and investigate.

Comment 9 Fedora Update System 2015-07-30 01:12:35 UTC
dnssec-trigger-0.13-0.1.20150714svn.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.