View Issue Details

IDProjectCategoryView StatusLast Update
0016136CentOS-7selinux-policypublic2019-06-02 08:14
Reporterpako 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
Product Version7.6.1810 
Target VersionFixed in Version 
Summary0016136: selinux policy prevents dnsmasq from creating/using netlink socket to update ipsets
DescriptionTrying to use the ipset functionality with dnsmasq with selinux in enforcing mode will fail.
At first dnsmasq will fail to create the netlink socket and abort on startup. Adding a custom module
to allow creating and binding to netlink socket will make dnsmasq start but fail to update ipsets.
This is in turn denied by a dontaudit'ed netlink_socket write rule.
Steps To Reproduce* Enable selinux enforcing mode
* Create an ipset, for example centos_ipset
* Enter a config line in dnsmasq.conf for an ipset, for example ipset=/centos.org/centos_ipset
* Also enable log-queries in dnsmasq, to prove the behavior.
* Restart dnsmasq, it will refuse to start due to reason above.
* Add selinux module that allow create and bind to netlink socket
* Restart dnsmasq, it will start and when resolving centos.org via dnsmasq, report that it is added to the ipset,
though when verifying, no ip has been added.
* Running strace on dnsmasq will show that dnsmasq gets a permission denied writing to the netlink socket
Additional InformationThe following module was needed to get dnsmasq updating ipsets correctly.
# cat dnsmasqipset.te

module dnsmasqipset 1.0;

require {
        type dnsmasq_t;
        class netlink_socket { bind create write };
}

#============= dnsmasq_t ==============

#!!!! This avc has a dontaudit rule in the current policy
allow dnsmasq_t self:netlink_socket write;
allow dnsmasq_t self:netlink_socket { bind create };
Tagsselinux
abrt_hash
URL

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2019-06-02 08:14 pako New Issue
2019-06-02 08:14 pako Tag Attached: selinux