ISC-BON 9.20.1 - Almalinux 9

TABAKA Mathieu mathieu.tabaka at groupe-crit.com
Thu Sep 12 09:48:10 UTC 2024 

Hi,

I just installed the last stable version of isc-bind on a fresh and uptodate Almalinux 9 and I've got trouble with the selinux implementation.
The isc-bind-named service don't start if selinux is enforcing, I traced the log :

----
time->Thu Sep 12 11:41:13 2024
type=PROCTITLE msg=audit(1726134073.757:2284): proctitle=2F6F70742F6973632F6973632D62696E642F726F6F742F7573722F7362696E2F6E616D6564002D75006E616D6564
type=PATH msg=audit(1726134073.757:2284): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=2143341 dev=fd:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1726134073.757:2284): item=0 name="/opt/isc/isc-bind/root/usr/sbin/named" inode=966732 dev=fd:08 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:named_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1726134073.757:2284): cwd="/"
type=EXECVE msg=audit(1726134073.757:2284): argc=3 a0="/opt/isc/isc-bind/root/usr/sbin/named" a1="-u" a2="named"
type=SYSCALL msg=audit(1726134073.757:2284): arch=c000003e syscall=59 success=yes exit=0 a0=555e756f9130 a1=555e7573fe40 a2=555e75743fb0 a3=0 items=2 ppid=1 pid=14367 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="named" exe="/opt/isc/isc-bind/root/usr/sbin/named" subj=system_u:system_r:init_t:s0 key=(null)
type=SELINUX_ERR msg=audit(1726134073.757:2284): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:named_t:s0
type=AVC msg=audit(1726134073.757:2284): avc:  denied  { nosuid_transition } for  pid=14367 comm="(named)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:named_t:s0 tclass=process2 permissive=0
----
time->Thu Sep 12 11:41:13 2024
type=PROCTITLE msg=audit(1726134073.778:2285): proctitle=2F6F70742F6973632F6973632D62696E642F726F6F742F7573722F7362696E2F6E616D6564002D75006E616D6564
type=PATH msg=audit(1726134073.778:2285): item=0 name="/var/opt/isc/scls/isc-bind/run/named/" inode=2118083 dev=fd:05 mode=040770 ouid=990 ogid=990 rdev=00:00 obj=system_u:object_r:named_var_run_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1726134073.778:2285): cwd="/var/opt/isc/scls/isc-bind/named/data"
type=SYSCALL msg=audit(1726134073.778:2285): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5641ec1bbf58 a2=c1 a3=1a4 items=1 ppid=14367 pid=14368 auid=4294967295 uid=990 gid=990 euid=990 suid=990 fsuid=990 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="named" exe="/opt/isc/isc-bind/root/usr/sbin/named" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1726134073.778:2285): avc:  denied  { create } for  pid=14368 comm="named" name="named.pid" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:named_var_run_t:s0 tclass=file permissive=0
----
time->Thu Sep 12 11:41:13 2024
type=PROCTITLE msg=audit(1726134073.778:2286): proctitle=2F6F70742F6973632F6973632D62696E642F726F6F742F7573722F7362696E2F6E616D6564002D75006E616D6564
type=PATH msg=audit(1726134073.778:2286): item=0 name="/var/opt/isc/scls/isc-bind/run/named/" inode=2118083 dev=fd:05 mode=040770 ouid=990 ogid=990 rdev=00:00 obj=system_u:object_r:named_var_run_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1726134073.778:2286): cwd="/var/opt/isc/scls/isc-bind/named/data"
type=SYSCALL msg=audit(1726134073.778:2286): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5641ec1bbf58 a2=c1 a3=1a4 items=1 ppid=14367 pid=14368 auid=4294967295 uid=990 gid=990 euid=990 suid=990 fsuid=990 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="named" exe="/opt/isc/isc-bind/root/usr/sbin/named" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1726134073.778:2286): avc:  denied  { create } for  pid=14368 comm="named" name="named.pid" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:named_var_run_t:s0 tclass=file permissive=0
----
time->Thu Sep 12 11:41:13 2024
type=PROCTITLE msg=audit(1726134073.778:2287): proctitle=2F6F70742F6973632F6973632D62696E642F726F6F742F7573722F7362696E2F6E616D6564002D75006E616D6564
type=PATH msg=audit(1726134073.778:2287): item=0 name="/var/opt/isc/scls/isc-bind/run/named/" inode=2118083 dev=fd:05 mode=040770 ouid=990 ogid=990 rdev=00:00 obj=system_u:object_r:named_var_run_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1726134073.778:2287): cwd="/var/opt/isc/scls/isc-bind/named/data"
type=SYSCALL msg=audit(1726134073.778:2287): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5641ec1bbf88 a2=c1 a3=180 items=1 ppid=14367 pid=14368 auid=4294967295 uid=990 gid=990 euid=990 suid=990 fsuid=990 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="named" exe="/opt/isc/isc-bind/root/usr/sbin/named" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1726134073.778:2287): avc:  denied  { create } for  pid=14368 comm="named" name="session.key" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:named_var_run_t:s0 tclass=file permissive=0
----
time->Thu Sep 12 11:41:13 2024
type=PROCTITLE msg=audit(1726134073.778:2288): proctitle=2F6F70742F6973632F6973632D62696E642F726F6F742F7573722F7362696E2F6E616D6564002D75006E616D6564
type=PATH msg=audit(1726134073.778:2288): item=0 name="/var/opt/isc/scls/isc-bind/run/named/" inode=2118083 dev=fd:05 mode=040770 ouid=990 ogid=990 rdev=00:00 obj=system_u:object_r:named_var_run_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1726134073.778:2288): cwd="/var/opt/isc/scls/isc-bind/named/data"
type=SYSCALL msg=audit(1726134073.778:2288): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5641ec1bbf88 a2=c1 a3=180 items=1 ppid=14367 pid=14368 auid=4294967295 uid=990 gid=990 euid=990 suid=990 fsuid=990 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="named" exe="/opt/isc/isc-bind/root/usr/sbin/named" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1726134073.778:2288): avc:  denied  { create } for  pid=14368 comm="named" name="session.key" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:named_var_run_t:s0 tclass=file permissive=0
----
time->Thu Sep 12 11:41:13 2024
type=PROCTITLE msg=audit(1726134073.781:2289): proctitle=2F6F70742F6973632F6973632D62696E642F726F6F742F7573722F7362696E2F6E616D6564002D75006E616D6564
type=PATH msg=audit(1726134073.781:2289): item=1 name="named.run" inode=3159 dev=fd:05 mode=0100644 ouid=990 ogid=990 rdev=00:00 obj=system_u:object_r:named_cache_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1726134073.781:2289): item=0 name="/var/opt/isc/scls/isc-bind/named/data" inode=3168 dev=fd:05 mode=040770 ouid=990 ogid=990 rdev=00:00 obj=system_u:object_r:named_cache_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1726134073.781:2289): cwd="/var/opt/isc/scls/isc-bind/named/data"
type=SYSCALL msg=audit(1726134073.781:2289): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f265be9ff60 a2=441 a3=1b6 items=2 ppid=14367 pid=14368 auid=4294967295 uid=990 gid=990 euid=990 suid=990 fsuid=990 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="named" exe="/opt/isc/isc-bind/root/usr/sbin/named" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1726134073.781:2289): avc:  denied  { append } for  pid=14368 comm="named" name="named.run" dev="dm-5" ino=3159 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:named_cache_t:s0 tclass=file permissive=0


#============= init_t ==============
allow init_t named_cache_t:file append;
allow init_t named_t:process2 nosuid_transition;
allow init_t named_var_run_t:file create;


O installed binfd with the command :

dnf copr enable isc/bind
dnf install epel-release
dnf install isc-bind


What I have to do, I don't want to add custom selinux rules as I'm not such that they will not be over-write with the next update.



Best regards,


Mathieu TABAKA
Administrateur Systèmes et Réseaux
Service Informatique

[Logo Crit.]

Tél. : 02 32 09 35 60 - Port. : 06 25 73 54 57
mathieu.tabaka at groupe-crit.com<mailto:mathieu.tabaka at groupe-crit.com>

9 voie des clouets BP 204
27100 VAL DE REUIL

www.crit-job.com<http://www.crit-job.com/>
[Logo Facebook]<https://www.facebook.com/CritFrance>  [Logo Twitter] <https://twitter.com/CritFrance>   [Logo LinkedIn] <https://fr.linkedin.com/company/crit>   [Logo Viadeo] <https://www.instagram.com/crit_france>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240912/ef9adb0a/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 6918 bytes
Desc: image001.png
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240912/ef9adb0a/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 3364 bytes
Desc: image002.png
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240912/ef9adb0a/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 3415 bytes
Desc: image003.png
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240912/ef9adb0a/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 3549 bytes
Desc: image004.png
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240912/ef9adb0a/attachment-0008.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 1490 bytes
Desc: image005.png
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240912/ef9adb0a/attachment-0009.png>

More information about the bind-users mailing list