View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0018563CentOS-8dnsmasqpublic2023-01-28 22:392023-02-28 09:38
Reporterrnichols Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionno change required 
Platformx86_64OSCentOSOS Version8 stream
Product Version8.4.2105 
Summary0018563: Repeated AVC denials for dnsmasq socket create
DescriptionWhen running with dnsmasq configured as bootp and domain server, there are repeated AVC denials :"SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t." Despite these enforcing mode denials, dnsmasq appears to work properly, serving both bootp and dns requests, so it is not apparent whether ALLOW or DONTAUDIT is the appropriate adjustment.
Steps To ReproduceOn a system with both WAN and LAN interfaces, configure NetworkManager with "dns=dnsmasq" and dnsmasq listening on the LAN interface (config files attached). Boot the system, and AVCs begin almost immediately, and seem to repeat whenever a dns request needs to be forwarded upstream.
Additional InformationSource Context system_u:system_r:dnsmasq_t:s0
Target Context system_u:system_r:dnsmasq_t:s0
Target Objects Unknown [ socket ]
Source dnsmasq
Source Path /usr/sbin/dnsmasq
Port <Unknown>
Host omega-3x
Source RPM Packages dnsmasq-2.79-24.el8.x86_64
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-3.14.3-114.el8.noarch
Local Policy RPM selinux-policy-targeted-3.14.3-114.el8.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name omega-3x
Platform Linux omega-3x 4.18.0-448.el8.x86_64 #1 SMP Wed
                              Jan 18 15:02:46 UTC 2023 x86_64 x86_64
Alert Count 6
First Seen 2023-01-28 14:50:41 CST
Last Seen 2023-01-28 14:57:16 CST
Local ID e32e9a86-6adb-4a61-b777-3f1e138449d7

Raw Audit Messages
type=AVC msg=audit(1674939436.297:133): avc: denied { create } for pid=1716 comm="dnsmasq" scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:system_r:dnsmasq_t:s0 tclass=socket permissive=0


type=SYSCALL msg=audit(1674939436.297:133): arch=x86_64 syscall=socket success=no exit=EACCES a0=0 a1=2 a2=0 a3=0 items=0 ppid=1337 pid=1716 auid=4294967295 uid=984 gid=984 euid=984 suid=984 fsuid=984 egid=984 sgid=984 fsgid=984 tty=(none) ses=4294967295 comm=dnsmasq exe=/usr/sbin/dnsmasq subj=system_u:system_r:dnsmasq_t:s0 key=(null)

Hash: dnsmasq,dnsmasq_t,dnsmasq_t,socket,create
TagsNo tags attached.

Activities

rnichols

rnichols

2023-01-28 22:39

reporter  

NM-dnsmasq.conf (122 bytes)    
# /etc/NetworkManager/conf.d/NM-dnsmasq.conf
# Run dnsmasq as local caching nameserver and dhcp server
[main]
dns=dnsmasq
NM-dnsmasq.conf (122 bytes)   
dnsmasq.conf (455 bytes)    
# /etc/NetworkManager/dnsmasq.d/dnsmasq.conf
domain-needed
bogus-priv
local=/local/
listen-address=192.168.44.1
listen-address=127.0.0.1
bind-interfaces
dhcp-authoritative

dhcp-range=192.168.44.160,192.168.44.191,24h
dhcp-option=option:ntp-server,0.0.0.0  # = this machine
dhcp-option=2,-21600  # Central Standard Time
dhcp-option=6,0.0.0.0  # domain-name-servers
dhcp-option=15,local  # Domain name

dhcp-host=00:50:43:00:8f:0c, 192.168.44.69,  phoenix
dnsmasq.conf (455 bytes)   
toracat

toracat

2023-01-29 18:34

manager   ~0039063

CentOS Stream-related bugs must be reported upstream. Please see https://wiki.centos.org/ReportBugs for details.
rnichols

rnichols

2023-01-30 13:51

reporter   ~0039064

Opened https://bugzilla.redhat.com/show_bug.cgi?id=2165438 .

Issue History

Date Modified Username Field Change
2023-01-28 22:39 rnichols New Issue
2023-01-28 22:39 rnichols File Added: NM-dnsmasq.conf
2023-01-28 22:39 rnichols File Added: dnsmasq.conf
2023-01-29 18:34 toracat Note Added: 0039063
2023-01-30 13:51 rnichols Note Added: 0039064
2023-02-28 09:38 toracat Status new => closed
2023-02-28 09:38 toracat Resolution open => no change required