Hello,
I have a server with KDE and I have enabled SELinux in permissive mode.
in journalctl I see these error
Jul 21 08:17:50 hpprol2 setroubleshoot[197668]: SELinux is preventing isc-net-0000 from getattr access on the file /var/lib/named/log/dnsquery.log. For complete SELinux messages run: sealert -l cfcc5252-aabf-4b70-ac82-88311000965e
Jul 21 08:17:50 hpprol2 setroubleshoot[197668]: SELinux is preventing isc-net-0000 from getattr access on the file /var/lib/named/log/dnsquery.log.
***** Plugin catchall_labels (83.8 confidence) suggests *******************
If you want to allow isc-net-0000 to have getattr access on the dnsquery.log file
Then you need to change the label on /var/lib/named/log/dnsquery.log
Do
# semanage fcontext -a -t FILE_TYPE '/var/lib/named/log/dnsquery.log'
where FILE_TYPE is one of the following: NetworkManager_log_t, NetworkManager_tmp_t, abrt_helper_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_log_t, abrt_var_run_t, acct_data_t, admin_crontab_tm>
Then execute:
restorecon -v '/var/lib/named/log/dnsquery.log'
***** Plugin catchall (17.1 confidence) suggests **************************
If you believe that isc-net-0000 should be allowed getattr access on the dnsquery.log file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'isc-net-0000' --raw | audit2allow -M my-iscnet0000
# semodule -X 300 -i my-iscnet0000.pp
Next search
hpprol2:/var/log/audit # sealert -l cfcc5252-aabf-4b70-ac82-88311000965e
SELinux is preventing isc-net-0000 from getattr access on the file /var/lib/named/log/dnsquery.log.
***** Plugin catchall_labels (83.8 confidence) suggests *******************
If you want to allow isc-net-0000 to have getattr access on the dnsquery.log file
Then you need to change the label on /var/lib/named/log/dnsquery.log
Do
# semanage fcontext -a -t FILE_TYPE '/var/lib/named/log/dnsquery.log
where FILE_TYPE is one of the following: NetworkManager_log_t, NetworkManager_tmp_t, abrt_helper_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t
......
, tmp_t, zarafa_monitor_log_t, zarafa_server_log_t, zarafa_server_tmp_t, zarafa_spooler_log_t, zarafa_var_lib_t, zebra_log_t, zebra_tmp_t, zoneminder_log_t.
Then execute:
restorecon -v /var/lib/named/log/dnsquery.log
***** Plugin catchall (17.1 confidence) suggests **************************
If you believe that isc-net-0000 should be allowed getattr access on the dnsquery.log file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'isc-net-0000' --raw | audit2allow -M my-iscnet0000
# semodule -X 300 -i my-iscnet0000.pp
Additional Information:
Source Context system_u:system_r:named_t:s0
Target Context system_u:object_r:var_lib_t:s0
Target Objects /var/lib/named/log/dnsquery.log [ file ]
Source isc-net-0000
Source Path isc-net-0000
Port <Unknown>
Host hpprol2
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-20240715-1.1.noarch
Local Policy RPM selinux-policy-targeted-20240715-1.1.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name hpprol2
Platform Linux hpprol2 6.9.9-1-default #1 SMP
PREEMPT_DYNAMIC Thu Jul 11 11:31:54 UTC 2024
(8c0f797) x86_64 x86_64
Alert Count 124
First Seen 2024-07-19 11:39:35 CEST
Last Seen 2024-07-21 08:40:45 CEST
Local ID cfcc5252-aabf-4b70-ac82-88311000965e
Raw Audit Messages
type=AVC msg=audit(1721544045.143:2071): avc: denied { getattr } for pid=2121 comm="isc-net-0001" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
Hash: isc-net-0000,named_t,var_lib_t,file,getattr
So I tried the first option
hpprol2:/var/log/audit # semanage fcontext -a -t var_lib_t '/var/lib/named/log/dnsquery.log'
hpprol2:/var/log/audit # restorecon -v '/var/lib/named/log/dnsquery.log
But the sealert continue to popup
The second option seems more complex
hpprol2:/var/log/audit # ausearch -c 'isc-net-0000' --raw
type=AVC msg=audit(1721495763.334:1954): avc: denied { append } for pid=2121 comm="isc-net-0000" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721495763.334:1955): avc: denied { getattr } for pid=2121 comm="isc-net-0000" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721496290.999:1960): avc: denied { append } for pid=2121 comm="isc-net-0004" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721496290.999:1961): avc: denied { getattr } for pid=2121 comm="isc-net-0004" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721498401.530:1966): avc: denied { append } for pid=2121 comm="isc-net-0002" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721498401.530:1967): avc: denied { getattr } for pid=2121 comm="isc-net-0002" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721498910.678:1975): avc: denied { append } for pid=2121 comm="isc-net-0001" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721498910.678:1976): avc: denied { getattr } for pid=2121 comm="isc-net-0001" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721502120.159:1981): avc: denied { append } for pid=2121 comm="isc-net-0011" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721502120.162:1982): avc: denied { getattr } for pid=2121 comm="isc-net-0011" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721505638.670:1987): avc: denied { append } for pid=2121 comm="isc-net-0002" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721505638.670:1988): avc: denied { getattr } for pid=2121 comm="isc-net-0002" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721508009.138:1993): avc: denied { append } for pid=2121 comm="isc-net-0003" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721508009.138:1994): avc: denied { getattr } for pid=2121 comm="isc-net-0003" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721509201.762:1999): avc: denied { append } for pid=2121 comm="isc-net-0002" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721509201.762:2000): avc: denied { getattr } for pid=2121 comm="isc-net-0002" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721511136.143:2005): avc: denied { append } for pid=2121 comm="isc-net-0011" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721511136.143:2006): avc: denied { getattr } for pid=2121 comm="isc-net-0011" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721512811.167:2019): avc: denied { append } for pid=2121 comm="isc-net-0001" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721512811.167:2020): avc: denied { getattr } for pid=2121 comm="isc-net-0001" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721515581.587:2027): avc: denied { append } for pid=2121 comm="isc-net-0009" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
......
The related process 2121 is named
hpprol2:/var/log/audit # ps -ef | grep 2121
named 2121 1 0 Jul24 ? 00:05:24 /usr/sbin/named -u named
I solved this problem via
hpprol2:/var/log/audit # ausearch -c 'isc-net-00' --raw | audit2allow -M my-iscnet00
hpprol2:/var/log/audit # semodule -X 300 -i my-iscnet00.pp
the file my-iscnet00.te contains
hpprol2:/var/log/audit # cat my-iscnet00.te
module my-iscnet00 1.0;
require {
type var_lib_t;
type named_t;
class dir { add_name remove_name write };
class file { append create getattr open read rename unlink write };
}
#============= named_t ==============
allow named_t var_lib_t:dir { add_name remove_name write };
allow named_t var_lib_t:file { append create getattr open read rename unlink write };
hpprol2:/var/log/audit #
After this no more popup from sealert.
Seems that named is not allowed logging the query in /var/lib/named/log/dnsquery.log. Is this normal?
Can it be due to the chroot (jail) for named?
Many thanks in advance
Philippe