Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1827588 - selinux-policy does not allow map to named
Summary: selinux-policy does not allow map to named
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 30
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-04-24 09:25 UTC by Petr Menšík
Modified: 2020-05-26 14:29 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-05-26 14:29:34 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Petr Menšík 2020-04-24 09:25:28 UTC 
Description of problem:
type=AVC msg=audit(1587718898.4:40110): avc:  denied  { map } for  pid=19555 comm="isc-worker0003" path="/var/named/slaves/db.root-servers.net" dev="dm-1" ino=2491489 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_cache_t:s0 tclass=file permissive=0

Hash: isc-worker0001,named_t,named_cache_t,file,map


Version-Release number of selected component (if applicable):
bind-9.16.2-1.fc30.x86_64
selinux-policy-3.14.3-56.fc30.noarch


How reproducible:
always

Steps to Reproduce:
1. dnf install bind
2. append below stubs to /etc/named.conf or include "/etc/named/root-servers.conf";
3. systemctl restart named
4. systemctl restart named

# append to named.conf
masters "xfr.dns.icann.org" {
        192.0.32.132; 2620:0:2d0:202::132;  # lax
        192.0.47.132; 2620:0:2830:202::132; # iad
};

zone "root-servers.net" IN {
        type slave;
        file "slaves/db.root-servers.net";
        masters { "xfr.dns.icann.org"; };
        masterfile-format map;
        notify no;
};


Actual results:
SELinux brání isc-worker0001 z map přístupu k soubor /var/named/slaves/db.root-servers.net.
Doplňující informace:
Kontext zdroje                system_u:system_r:named_t:s0
Kontext cíle                  system_u:object_r:named_cache_t:s0
Objekty cíle                  /var/named/slaves/db.root-servers.net [ file ]
Zdroj                         isc-worker0001
Cesta zdroje                  isc-worker0001
Port                          <Neznámé>
Počítač                       menpad
RPM balíčky zdroje            
RPM balíčky cíle              
RPM politiky                  selinux-policy-3.14.3-56.fc30.noarch
Selinux povolen               True
Typ politiky                  targeted
Vynucovací režim              Enforcing
Název počítače                menpad
Platforma                     Linux menpad 5.4.7-100.fc30.x86_64 #1 SMP Wed Jan
                              1 01:37:52 UTC 2020 x86_64 x86_64
Počet upozornění              3
Poprvé viděno                 2020-04-02 11:41:02 CEST
Naposledy viděno              2020-04-24 11:01:38 CEST
Místní ID                     8452d248-5f97-4940-b0bc-96bcc20a729c

Původní zprávy auditu
type=AVC msg=audit(1587718898.4:40110): avc:  denied  { map } for  pid=19555 comm="isc-worker0003" path="/var/named/slaves/db.root-servers.net" dev="dm-1" ino=2491489 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_cache_t:s0 tclass=file permissive=0


Hash: isc-worker0001,named_t,named_cache_t,file,map

Expected results:
No Selinux error

Additional info:
Comment 1 Zdenek Pytela 2020-04-24 09:33:19 UTC 
Seems like the following commit needs to be backported to F30, too:

commit 8a24bf7ae89c32228a7f195cda49f027cacda58c
Author: Nikola Knazekova <nknazeko>
Date:   Tue Jul 16 16:05:02 2019 +0200

    allow named_t to map named_cache_t files
Comment 2 Zdenek Pytela 2020-04-24 09:37:33 UTC 
I've submitted a Fedora PR to address the issue:

https://github.com/fedora-selinux/selinux-policy-contrib/pull/237
Comment 3 Lukas Vrabec 2020-04-24 10:45:14 UTC 
PR merged.
Comment 4 Ben Cotton 2020-04-30 20:11:49 UTC 
This message is a reminder that Fedora 30 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 30 on 2020-05-26.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '30'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 30 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 5 Fedora Update System 2020-05-13 14:43:37 UTC 
FEDORA-2020-7db677a922 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2020-7db677a922
Comment 6 Fedora Update System 2020-05-14 07:25:21 UTC 
FEDORA-2020-7db677a922 has been pushed to the Fedora 30 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-7db677a922`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-7db677a922

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 7 Ben Cotton 2020-05-26 14:29:34 UTC 
Fedora 30 changed to end-of-life (EOL) status on 2020-05-26. Fedora 30 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.
Note You need to log in before you can comment on or make changes to this bug.