Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 441622 - sec-policy/selinux-bind-2.20120725-r6: broken admin interface, no right to execute named init script
Summary: sec-policy/selinux-bind-2.20120725-r6: broken admin interface, no right to ex...
Status: VERIFIED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: High blocker
Assignee: Matthew Thode ( prometheanfire )
URL:
Whiteboard: sec-policy r7
Keywords:
Depends on:
Blocks:
 
Reported: 2012-11-03 20:45 UTC by Vincent Brillault
Modified: 2012-12-13 10:08 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Vincent Brillault 2012-11-03 20:45:12 UTC 
bind (named) uses a named init script, 'named_initrc_exec_t'. The sysadm_t domain have no right to execute it: "zsh: permission denied: /etc/init.d/named" (no avc)
Is there a new role for the named administration ?

In the previous version, a "bind_admin(sysadm_t,sysadm_r);" fixed the issue, but now this interface is broken:
libsepol.print_missing_requirements: fixes's global requirements were not met: type/attribute named_var_lib_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).

I think that the "named_var_lib_t" doesn't exist any more. Removing all its references from contrib/bind.if seems to work fine.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2012-11-06 20:27:11 UTC 
well, didn't work for me, here is the full audit log without dontaudit enabled.




type=AVC msg=audit(1352233096.023:693394): avc:  denied  { execute } for  pid=22088 comm="bash" name="named" dev="vda3" ino=8691 ipaddr=10.0.3.42 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:named_initrc_exec_t tclass=file
type=AVC msg=audit(1352233096.023:693394): avc:  denied  { execute_no_trans } for  pid=22088 comm="bash" path="/etc/init.d/named" dev="vda3" ino=8691 ipaddr=10.0.3.42 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:named_initrc_exec_t tclass=file
type=AVC msg=audit(1352233096.042:693395): avc:  denied  { getattr } for  pid=22088 comm="rc" path="/etc/init.d/php-fpm" dev="vda3" ino=9069 ipaddr=10.0.3.42 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file
type=AVC msg=audit(1352233096.311:693396): avc:  denied  { audit_control } for  pid=22114 comm="rc" capability=30  ipaddr=10.0.3.42 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=capability
type=AVC msg=audit(1352233096.321:693398): avc:  denied  { execute } for  pid=22114 comm="rc" name="named" dev="dm-0" ino=19623 ipaddr=10.0.3.42 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:named_exec_t tclass=file
type=AVC msg=audit(1352233096.321:693398): avc:  denied  { execute_no_trans } for  pid=22114 comm="rc" path="/usr/sbin/named" dev="dm-0" ino=19623 ipaddr=10.0.3.42 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:named_exec_t tclass=file
type=AVC msg=audit(1352233096.347:693399): avc:  denied  { setrlimit } for  pid=22115 comm="named" ipaddr=10.0.3.42 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process
type=AVC msg=audit(1352233096.362:693400): avc:  denied  { name_bind } for  pid=22116 comm="named" src=53 ipaddr=10.0.3.42 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:dns_port_t tclass=udp_socket
type=AVC msg=audit(1352233096.366:693401): avc:  denied  { name_bind } for  pid=22116 comm="named" src=53 ipaddr=10.0.3.42 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:dns_port_t tclass=tcp_socket
type=AVC msg=audit(1352233096.366:693401): avc:  denied  { node_bind } for  pid=22116 comm="named" saddr=127.0.0.1 src=53 ipaddr=10.0.3.42 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket
type=AVC msg=audit(1352233096.403:693402): avc:  denied  { name_bind } for  pid=22116 comm="named" src=953 ipaddr=10.0.3.42 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:rndc_port_t tclass=tcp_socket
type=AVC msg=audit(1352233096.442:693403): avc:  denied  { name_bind } for  pid=22116 comm="named" src=28813 ipaddr=10.0.3.42 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unreserved_port_t tclass=udp_socket
type=AVC msg=audit(1352233096.503:693404): avc:  denied  { name_bind } for  pid=22118 comm="named" src=10200 ipaddr=10.0.3.42 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:trisoap_port_t tclass=udp_socket
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2012-11-07 01:15:59 UTC 
well, now it worked.. also, the fix is upstreamed
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-14 21:09:39 UTC 
r7 is now in hardened-dev
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-18 15:23:44 UTC 
In main tree, ~arch'ed
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-13 10:08:41 UTC 
r8 is now stable