ISC-BON 9.20.1 - Almalinux 9

TABAKA Mathieu Thu, 12 Sep 2024 02:49:03 -0700

Hi,

I just installed the last stable version of isc-bind on a fresh and uptodate 
Almalinux 9 and I've got trouble with the selinux implementation.
The isc-bind-named service don't start if selinux is enforcing, I traced the 
log :


----
time->Thu Sep 12 11:41:13 2024
type=PROCTITLE msg=audit(1726134073.757:2284): 
proctitle=2F6F70742F6973632F6973632D62696E642F726F6F742F7573722F7362696E2F6E616D6564002D75006E616D6564
type=PATH msg=audit(1726134073.757:2284): item=1 
name="/lib64/ld-linux-x86-64.so.2" inode=2143341 dev=fd:02 mode=0100755 ouid=0 
ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 
cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1726134073.757:2284): item=0 
name="/opt/isc/isc-bind/root/usr/sbin/named" inode=966732 dev=fd:08 
mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:named_exec_t:s0 
nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1726134073.757:2284): cwd="/"
type=EXECVE msg=audit(1726134073.757:2284): argc=3 
a0="/opt/isc/isc-bind/root/usr/sbin/named" a1="-u" a2="named"
type=SYSCALL msg=audit(1726134073.757:2284): arch=c000003e syscall=59 
success=yes exit=0 a0=555e756f9130 a1=555e7573fe40 a2=555e75743fb0 a3=0 items=2 
ppid=1 pid=14367 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="named" 
exe="/opt/isc/isc-bind/root/usr/sbin/named" subj=system_u:system_r:init_t:s0 
key=(null)
type=SELINUX_ERR msg=audit(1726134073.757:2284): op=security_bounded_transition 
seresult=denied oldcontext=system_u:system_r:init_t:s0 
newcontext=system_u:system_r:named_t:s0
type=AVC msg=audit(1726134073.757:2284): avc:  denied  { nosuid_transition } 
for  pid=14367 comm="(named)" scontext=system_u:system_r:init_t:s0 
tcontext=system_u:system_r:named_t:s0 tclass=process2 permissive=0
----
time->Thu Sep 12 11:41:13 2024
type=PROCTITLE msg=audit(1726134073.778:2285): 
proctitle=2F6F70742F6973632F6973632D62696E642F726F6F742F7573722F7362696E2F6E616D6564002D75006E616D6564
type=PATH msg=audit(1726134073.778:2285): item=0 
name="/var/opt/isc/scls/isc-bind/run/named/" inode=2118083 dev=fd:05 
mode=040770 ouid=990 ogid=990 rdev=00:00 
obj=system_u:object_r:named_var_run_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 
cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1726134073.778:2285): 
cwd="/var/opt/isc/scls/isc-bind/named/data"
type=SYSCALL msg=audit(1726134073.778:2285): arch=c000003e syscall=257 
success=no exit=-13 a0=ffffff9c a1=5641ec1bbf58 a2=c1 a3=1a4 items=1 ppid=14367 
pid=14368 auid=4294967295 uid=990 gid=990 euid=990 suid=990 fsuid=990 egid=990 
sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="named" 
exe="/opt/isc/isc-bind/root/usr/sbin/named" subj=system_u:system_r:init_t:s0 
key=(null)
type=AVC msg=audit(1726134073.778:2285): avc:  denied  { create } for  
pid=14368 comm="named" name="named.pid" scontext=system_u:system_r:init_t:s0 
tcontext=system_u:object_r:named_var_run_t:s0 tclass=file permissive=0
----
time->Thu Sep 12 11:41:13 2024
type=PROCTITLE msg=audit(1726134073.778:2286): 
proctitle=2F6F70742F6973632F6973632D62696E642F726F6F742F7573722F7362696E2F6E616D6564002D75006E616D6564
type=PATH msg=audit(1726134073.778:2286): item=0 
name="/var/opt/isc/scls/isc-bind/run/named/" inode=2118083 dev=fd:05 
mode=040770 ouid=990 ogid=990 rdev=00:00 
obj=system_u:object_r:named_var_run_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 
cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1726134073.778:2286): 
cwd="/var/opt/isc/scls/isc-bind/named/data"
type=SYSCALL msg=audit(1726134073.778:2286): arch=c000003e syscall=257 
success=no exit=-13 a0=ffffff9c a1=5641ec1bbf58 a2=c1 a3=1a4 items=1 ppid=14367 
pid=14368 auid=4294967295 uid=990 gid=990 euid=990 suid=990 fsuid=990 egid=990 
sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="named" 
exe="/opt/isc/isc-bind/root/usr/sbin/named" subj=system_u:system_r:init_t:s0 
key=(null)
type=AVC msg=audit(1726134073.778:2286): avc:  denied  { create } for  
pid=14368 comm="named" name="named.pid" scontext=system_u:system_r:init_t:s0 
tcontext=system_u:object_r:named_var_run_t:s0 tclass=file permissive=0
----
time->Thu Sep 12 11:41:13 2024
type=PROCTITLE msg=audit(1726134073.778:2287): 
proctitle=2F6F70742F6973632F6973632D62696E642F726F6F742F7573722F7362696E2F6E616D6564002D75006E616D6564
type=PATH msg=audit(1726134073.778:2287): item=0 
name="/var/opt/isc/scls/isc-bind/run/named/" inode=2118083 dev=fd:05 
mode=040770 ouid=990 ogid=990 rdev=00:00 
obj=system_u:object_r:named_var_run_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 
cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1726134073.778:2287): 
cwd="/var/opt/isc/scls/isc-bind/named/data"
type=SYSCALL msg=audit(1726134073.778:2287): arch=c000003e syscall=257 
success=no exit=-13 a0=ffffff9c a1=5641ec1bbf88 a2=c1 a3=180 items=1 ppid=14367 
pid=14368 auid=4294967295 uid=990 gid=990 euid=990 suid=990 fsuid=990 egid=990 
sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="named" 
exe="/opt/isc/isc-bind/root/usr/sbin/named" subj=system_u:system_r:init_t:s0 
key=(null)
type=AVC msg=audit(1726134073.778:2287): avc:  denied  { create } for  
pid=14368 comm="named" name="session.key" scontext=system_u:system_r:init_t:s0 
tcontext=system_u:object_r:named_var_run_t:s0 tclass=file permissive=0
----
time->Thu Sep 12 11:41:13 2024
type=PROCTITLE msg=audit(1726134073.778:2288): 
proctitle=2F6F70742F6973632F6973632D62696E642F726F6F742F7573722F7362696E2F6E616D6564002D75006E616D6564
type=PATH msg=audit(1726134073.778:2288): item=0 
name="/var/opt/isc/scls/isc-bind/run/named/" inode=2118083 dev=fd:05 
mode=040770 ouid=990 ogid=990 rdev=00:00 
obj=system_u:object_r:named_var_run_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 
cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1726134073.778:2288): 
cwd="/var/opt/isc/scls/isc-bind/named/data"
type=SYSCALL msg=audit(1726134073.778:2288): arch=c000003e syscall=257 
success=no exit=-13 a0=ffffff9c a1=5641ec1bbf88 a2=c1 a3=180 items=1 ppid=14367 
pid=14368 auid=4294967295 uid=990 gid=990 euid=990 suid=990 fsuid=990 egid=990 
sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="named" 
exe="/opt/isc/isc-bind/root/usr/sbin/named" subj=system_u:system_r:init_t:s0 
key=(null)
type=AVC msg=audit(1726134073.778:2288): avc:  denied  { create } for  
pid=14368 comm="named" name="session.key" scontext=system_u:system_r:init_t:s0 
tcontext=system_u:object_r:named_var_run_t:s0 tclass=file permissive=0
----
time->Thu Sep 12 11:41:13 2024
type=PROCTITLE msg=audit(1726134073.781:2289): 
proctitle=2F6F70742F6973632F6973632D62696E642F726F6F742F7573722F7362696E2F6E616D6564002D75006E616D6564
type=PATH msg=audit(1726134073.781:2289): item=1 name="named.run" inode=3159 
dev=fd:05 mode=0100644 ouid=990 ogid=990 rdev=00:00 
obj=system_u:object_r:named_cache_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 
cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1726134073.781:2289): item=0 
name="/var/opt/isc/scls/isc-bind/named/data" inode=3168 dev=fd:05 mode=040770 
ouid=990 ogid=990 rdev=00:00 obj=system_u:object_r:named_cache_t:s0 
nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1726134073.781:2289): 
cwd="/var/opt/isc/scls/isc-bind/named/data"
type=SYSCALL msg=audit(1726134073.781:2289): arch=c000003e syscall=257 
success=no exit=-13 a0=ffffff9c a1=7f265be9ff60 a2=441 a3=1b6 items=2 
ppid=14367 pid=14368 auid=4294967295 uid=990 gid=990 euid=990 suid=990 
fsuid=990 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="named" 
exe="/opt/isc/isc-bind/root/usr/sbin/named" subj=system_u:system_r:init_t:s0 
key=(null)
type=AVC msg=audit(1726134073.781:2289): avc:  denied  { append } for  
pid=14368 comm="named" name="named.run" dev="dm-5" ino=3159 
scontext=system_u:system_r:init_t:s0 
tcontext=system_u:object_r:named_cache_t:s0 tclass=file permissive=0


#============= init_t ==============
allow init_t named_cache_t:file append;
allow init_t named_t:process2 nosuid_transition;
allow init_t named_var_run_t:file create;


O installed binfd with the command :

dnf copr enable isc/bind
dnf install epel-release
dnf install isc-bind


What I have to do, I don't want to add custom selinux rules as I'm not such 
that they will not be over-write with the next update.



Best regards,


Mathieu TABAKA
Administrateur Systèmes et Réseaux
Service Informatique

[Logo Crit.]

Tél. : 02 32 09 35 60 - Port. : 06 25 73 54 57
[email protected]<mailto:[email protected]>

9 voie des clouets BP 204
27100 VAL DE REUIL

www.crit-job.com<http://www.crit-job.com/>
[Logo Facebook]<https://www.facebook.com/CritFrance>  [Logo Twitter] 
<https://twitter.com/CritFrance>   [Logo LinkedIn] 
<https://fr.linkedin.com/company/crit>   [Logo Viadeo] 
<https://www.instagram.com/crit_france>

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users

ISC-BON 9.20.1 - Almalinux 9

Reply via email to