Selinux : named and dnsquery.log

Hello,

I have a server with KDE and I have enabled SELinux in permissive mode.

in journalctl I see these error

Jul 21 08:17:50 hpprol2 setroubleshoot[197668]: SELinux is preventing isc-net-0000 from getattr access on the file /var/lib/named/log/dnsquery.log. For complete SELinux messages run: sealert -l cfcc5252-aabf-4b70-ac82-88311000965e
Jul 21 08:17:50 hpprol2 setroubleshoot[197668]: SELinux is preventing isc-net-0000 from getattr access on the file /var/lib/named/log/dnsquery.log.
                                                
    *****  Plugin catchall_labels (83.8 confidence) suggests   *******************
                                                
            If you want to allow isc-net-0000 to have getattr access on the dnsquery.log file
            Then you need to change the label on /var/lib/named/log/dnsquery.log
            Do
            # semanage fcontext -a -t FILE_TYPE '/var/lib/named/log/dnsquery.log'
             where FILE_TYPE is one of the following: NetworkManager_log_t, NetworkManager_tmp_t, abrt_helper_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_log_t, abrt_var_run_t, acct_data_t, admin_crontab_tm>
           Then execute:
           restorecon -v '/var/lib/named/log/dnsquery.log'
                                                
                                                
    *****  Plugin catchall (17.1 confidence) suggests   **************************
                                                
           If you believe that isc-net-0000 should be allowed getattr access on the dnsquery.log file by default.
           Then you should report this as a bug.
           You can generate a local policy module to allow this access.
           Do
           allow this access for now by executing:
           # ausearch -c 'isc-net-0000' --raw | audit2allow -M my-iscnet0000
           # semodule -X 300 -i my-iscnet0000.pp

Next search

 hpprol2:/var/log/audit # sealert -l cfcc5252-aabf-4b70-ac82-88311000965e
SELinux is preventing isc-net-0000 from getattr access on the file /var/lib/named/log/dnsquery.log.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow isc-net-0000 to have getattr access on the dnsquery.log file
Then you need to change the label on /var/lib/named/log/dnsquery.log
Do

# semanage fcontext -a -t FILE_TYPE '/var/lib/named/log/dnsquery.log
where FILE_TYPE is one of the following: NetworkManager_log_t, NetworkManager_tmp_t, abrt_helper_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t
......
, tmp_t, zarafa_monitor_log_t, zarafa_server_log_t, zarafa_server_tmp_t, zarafa_spooler_log_t, zarafa_var_lib_t, zebra_log_t, zebra_tmp_t, zoneminder_log_t.
Then execute:
restorecon -v /var/lib/named/log/dnsquery.log

*****  Plugin catchall (17.1 confidence) suggests   **************************
If you believe that isc-net-0000 should be allowed getattr access on the dnsquery.log file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'isc-net-0000' --raw | audit2allow -M my-iscnet0000
# semodule -X 300 -i my-iscnet0000.pp


Additional Information:
Source Context                system_u:system_r:named_t:s0
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                /var/lib/named/log/dnsquery.log [ file ]
Source                        isc-net-0000
Source Path                   isc-net-0000
Port                          <Unknown>
Host                          hpprol2
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-20240715-1.1.noarch
Local Policy RPM              selinux-policy-targeted-20240715-1.1.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     hpprol2
Platform                      Linux hpprol2 6.9.9-1-default #1 SMP
                              PREEMPT_DYNAMIC Thu Jul 11 11:31:54 UTC 2024
                              (8c0f797) x86_64 x86_64
Alert Count                   124
First Seen                    2024-07-19 11:39:35 CEST
Last Seen                     2024-07-21 08:40:45 CEST
Local ID                      cfcc5252-aabf-4b70-ac82-88311000965e

Raw Audit Messages
type=AVC msg=audit(1721544045.143:2071): avc:  denied  { getattr } for  pid=2121 comm="isc-net-0001" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1

Hash: isc-net-0000,named_t,var_lib_t,file,getattr

So I tried the first option

hpprol2:/var/log/audit # semanage fcontext -a -t var_lib_t '/var/lib/named/log/dnsquery.log'
hpprol2:/var/log/audit # restorecon -v '/var/lib/named/log/dnsquery.log

But the sealert continue to popup

The second option seems more complex

hpprol2:/var/log/audit # ausearch -c 'isc-net-0000' --raw 
type=AVC msg=audit(1721495763.334:1954): avc:  denied  { append } for  pid=2121 comm="isc-net-0000" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721495763.334:1955): avc:  denied  { getattr } for  pid=2121 comm="isc-net-0000" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721496290.999:1960): avc:  denied  { append } for  pid=2121 comm="isc-net-0004" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721496290.999:1961): avc:  denied  { getattr } for  pid=2121 comm="isc-net-0004" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721498401.530:1966): avc:  denied  { append } for  pid=2121 comm="isc-net-0002" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721498401.530:1967): avc:  denied  { getattr } for  pid=2121 comm="isc-net-0002" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721498910.678:1975): avc:  denied  { append } for  pid=2121 comm="isc-net-0001" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721498910.678:1976): avc:  denied  { getattr } for  pid=2121 comm="isc-net-0001" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721502120.159:1981): avc:  denied  { append } for  pid=2121 comm="isc-net-0011" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721502120.162:1982): avc:  denied  { getattr } for  pid=2121 comm="isc-net-0011" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721505638.670:1987): avc:  denied  { append } for  pid=2121 comm="isc-net-0002" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721505638.670:1988): avc:  denied  { getattr } for  pid=2121 comm="isc-net-0002" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721508009.138:1993): avc:  denied  { append } for  pid=2121 comm="isc-net-0003" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721508009.138:1994): avc:  denied  { getattr } for  pid=2121 comm="isc-net-0003" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721509201.762:1999): avc:  denied  { append } for  pid=2121 comm="isc-net-0002" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721509201.762:2000): avc:  denied  { getattr } for  pid=2121 comm="isc-net-0002" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721511136.143:2005): avc:  denied  { append } for  pid=2121 comm="isc-net-0011" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721511136.143:2006): avc:  denied  { getattr } for  pid=2121 comm="isc-net-0011" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721512811.167:2019): avc:  denied  { append } for  pid=2121 comm="isc-net-0001" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721512811.167:2020): avc:  denied  { getattr } for  pid=2121 comm="isc-net-0001" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721515581.587:2027): avc:  denied  { append } for  pid=2121 comm="isc-net-0009" path="/var/lib/named/log/dnsquery.log" dev="sdb2" ino=4719263 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
......

The related process 2121 is named

hpprol2:/var/log/audit # ps -ef | grep 2121
named       2121       1  0 Jul24 ?        00:05:24 /usr/sbin/named -u named

I solved this problem via

hpprol2:/var/log/audit # ausearch -c 'isc-net-00' --raw | audit2allow -M my-iscnet00
hpprol2:/var/log/audit # semodule -X 300 -i my-iscnet00.pp

the file my-iscnet00.te contains

hpprol2:/var/log/audit # cat my-iscnet00.te

module my-iscnet00 1.0;

require {
        type var_lib_t;
        type named_t;
        class dir { add_name remove_name write };
        class file { append create getattr open read rename unlink write };
}

#============= named_t ==============
allow named_t var_lib_t:dir { add_name remove_name write };
allow named_t var_lib_t:file { append create getattr open read rename unlink write };
hpprol2:/var/log/audit # 

After this no more popup from sealert.
Seems that named is not allowed logging the query in /var/lib/named/log/dnsquery.log. Is this normal?
Can it be due to the chroot (jail) for named?
Many thanks in advance
Philippe

That is of course possible. At least, I do not see any rule for /var/lib/named in upstream fedora selinux-policy. The right fix should really be to label those files properly, not to open up access for the named to the whole /var/lib. Judging by the name, it should probably be named_log_t.

If you are using unmodified openSUSE package, you should open bug report, chose component Security.

So something like

# semanage fcontext -a -t  named_log_t  /var/lib/named/log/*
# restorecon -v -r  /var/lib/named/log

Another question
These log files are also renamed and a new file is created (logrotate?). Does the label refers to the existing file or to the name of the file?

Many thanks in addvance
Philippe

restorecon applies label to the file itself (it is stored as file extended attribute). New files either inherit directory label or are labeled according to the domain transition rules if such rules are defined on the current policy.

This would be something like

type_transition named_t var_lib_t:file named_log_t;

It may not be enough, named_t also needs permissions to create files inside var_lib_t directory and work with named_log_t files. I expect the latter should be already available, and if named is able to create files (even with “wrong” labels) the former should be present as well.

I have open a bug report in openSUSE bugzilla
https://bugzilla.opensuse.org/show_bug.cgi?id=1228372

" Bug 1228372 - selinux denied named access to /var/lib/named/log/dnsquery.log"

Regards
Philippe

Another error from named:

type=AVC msg=audit(1722094007.164:1542): avc:  denied  { read write open } for  pid=2121 comm="isc-net-0005" path="/var/lib/named/dyn/tmp-8BTcyhF4Br" dev="sdb2" ino=4719439 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1 

I did the following

hpprol2:/etc/systemd/system # seinfo -t | grep named 
  named_cache_t 
  named_checkconf_exec_t 
  named_conf_t 
  named_exec_t 
  named_initrc_exec_t 
  named_keytab_t 
  named_log_t 
  named_t 
  named_tmp_t 
  named_unit_file_t 
  named_var_run_t 
  named_zone_t 
  systemd_hostnamed_exec_t 
  systemd_hostnamed_t

hpprol2:/etc/systemd/system # semanage fcontext -a -t named_zone_t "/var/lib/named/dyn(/.*)?" 

Thereafter another error in journalctl

Jul 27 18:44:35 hpprol2 setroubleshoot[465524]: SELinux is preventing isc-loop-0002 from rename access on the file tmp-NxAC5L6Ppp.                                             
        ****  Plugin catchall_boolean (89.3 confidence) suggests   ****************** 
                                                
       If you want to determine whether Bind can write to master zone files. Generally this is used for dynamic DNS or zone transfers. 
       Then you must tell SELinux about this by enabling the 'named_write_master_zones' boolean.                                        
          Do 
          setsebool -P named_write_master_zones 1

I have set “named_write_master_zones” boolean. I hope it solves the problem

Upstream selinux policy has explicit provision for named chroot in several distributions (Debian. Fedora and some more). Looks like it needs the same for openSUSE, or openSUSE simply needs to use the same chroot location as Fedora.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.