search

fedora-selinux / selinux-policy-contrib

Fedora Policy Contributions
39 stars 66 forks source link

Updates to PowerDNS (PDNS) Authoritative #260

Open Slair1 opened 4 years ago

Slair1 commented 4 years ago

Running PowerDNS Authoritative 4.3.0. Here is some output from audit2why. PDNS will not stay running if in "slave=yes" mode and selinux is enforcing. Let me know if i can provide any further detail.

type=AVC msg=audit(1591479324.914:40): avc:  denied  { map } for  pid=2063 comm="pdns_server" path="/usr/share/p11-kit/modules/p11-kit-trust.module" dev="dm-0" ino=33556196 scontext=system_u:system_r:pdns_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0

        Was caused by:
        The boolean domain_can_mmap_files was set incorrectly.
        Description:
        Allow domain to can mmap files

        Allow access by executing:
        # setsebool -P domain_can_mmap_files 1
type=AVC msg=audit(1591641530.583:1766): avc:  denied  { read } for  pid=1820 comm="pdns-r/webhndlr" name="stat" dev="proc" ino=4026532026 scontext=system_u:system_r:pdns_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0

        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1591473587.377:5576): avc:  denied  { name_bind } for  pid=8963 comm="pdns/comm-main" src=18899 scontext=system_u:system_r:pdns_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0

        Was caused by:
        The boolean nis_enabled was set incorrectly.
        Description:
        Allow nis to enabled

        Allow access by executing:
        # setsebool -P nis_enabled 1

Created follow additional module to fix:

module pdns_local 1.0;

require {
        type proc_t;
        type usr_t;
        type pdns_t;
        type unreserved_port_t;
        class udp_socket name_bind;
        class file { map read };
}

#============= pdns_t ==============
allow pdns_t proc_t:file read;

allow pdns_t unreserved_port_t:udp_socket name_bind;

allow pdns_t usr_t:file map;
zpytela commented 4 years ago

@Slair1, is the port number pdns tries to bind to always the same, or predictable? Also, will you be able to create a PR to address the issue? The map permission to usr_t files should be a part of the policy since commit 86fb539fd71e513536c5d2f6214cd4edbe6beddf from Jun 5th.

Slair1 commented 4 years ago

@zpytela If I understand correctly, it was trying to bind w/ port 18899 according the the audit entry correct? Then no, that should just be an ephemeral port and could be any high numbered port.

Yea, I should be able to have someone on my team do a PR to address the issue. it may not be right away, but we should be able to figure that out

zpytela commented 4 years ago

@Slair1, what is the current status of this issue? Do you need any help?

I've confirmed the map permission is allowed. Note ephemeral port range is this by default:

  # sysctl net.ipv4.ip_local_port_range
net.ipv4.ip_local_port_range = 32768 60999

To resolve the access to /proc, it is required to know which files are necessary to read. Setting the system to permissive mode can help with gathering all denials.