Debian Bug report logs - #490271
bind9: security update breaks named running with selinux

version graph

Package: selinux-policy-refpolicy-targeted; Maintainer for selinux-policy-refpolicy-targeted is (unknown);

Reported by: Martin Godisch <martin@godisch.de>

Date: Fri, 11 Jul 2008 06:30:02 UTC

Severity: serious

Tags: etch

Fixed in version refpolicy/0.0.20061018-5.1+etch1

Done: Devin Carraway <devin@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, security@debian.org, LaMont Jones <lamont@debian.org>:
Bug#490271; Package bind9. Full text and rfc822 format available.

Message #3 received at submit@bugs.debian.org (full text, mbox):

From: Martin Godisch <martin@godisch.de>
To: submit@bugs.debian.org
Subject: bind9: security update breaks named running with selinux
Date: Fri, 11 Jul 2008 08:26:53 +0200
Package: bind9
Version: 9.3.4-2etch3
Tags: etch
Severity: serious

Package: selinux-policy-refpolicy-targeted
Version: 0.0.20061018-5

bind9 security update 9.3.4-2etch3 breaks named running in a selinux
enabled (enforcing) environment:

audit(1215756426.448:248): avc:  denied  { name_bind } for  pid=16218
comm="named" src=12949 scontext=user_u:system_r:named_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=udp_socket

I think you need to add corenet_udp_bind_generic_port(named_t) to the
selinux policy (or revert the security update).

Kind regards,

Martin




Bug reassigned from package `bind9' to `selinux-policy-refpolicy-targeted'. Request was from LaMont Jones <lamont@debian.org> to control@bugs.debian.org. (Fri, 11 Jul 2008 12:54:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Manoj Srivastava <srivasta@debian.org>:
Bug#490271; Package selinux-policy-refpolicy-targeted. Full text and rfc822 format available.

Acknowledgement sent to Devin Carraway <devin@debian.org>:
Extra info received and forwarded to list. Copy sent to Manoj Srivastava <srivasta@debian.org>. Full text and rfc822 format available.

Message #10 received at 490271@bugs.debian.org (full text, mbox):

From: Devin Carraway <devin@debian.org>
To: Martin Godisch <martin@godisch.de>, 490271@bugs.debian.org
Subject: Re: Bug#490271: bind9: security update breaks named running with selinux
Date: Fri, 11 Jul 2008 10:42:45 -0700
[Message part 1 (text/plain, inline)]
On Fri, Jul 11, 2008 at 08:26:53AM +0200, Martin Godisch wrote:
> bind9 security update 9.3.4-2etch3 breaks named running in a selinux
> enabled (enforcing) environment:
> 
> audit(1215756426.448:248): avc:  denied  { name_bind } for  pid=16218
> comm="named" src=12949 scontext=user_u:system_r:named_t:s0
> tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
> 
> I think you need to add corenet_udp_bind_generic_port(named_t) to the
> selinux policy (or revert the security update).

This is a known issue -- we're planning to make a couple of announcements with
a recommended workaround (attached, but pretty much the same as what you
suggest), and try to get it into the next stable point release.

-- 
Devin  \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com
Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2
[bind_debian_security_update.te (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Manoj Srivastava <srivasta@debian.org>:
Bug#490271; Package selinux-policy-refpolicy-targeted. Full text and rfc822 format available.

Acknowledgement sent to Bastian Blank <waldi@debian.org>:
Extra info received and forwarded to list. Copy sent to Manoj Srivastava <srivasta@debian.org>. Full text and rfc822 format available.

Message #15 received at 490271@bugs.debian.org (full text, mbox):

From: Bastian Blank <waldi@debian.org>
To: Devin Carraway <devin@debian.org>, 490271@bugs.debian.org
Cc: Martin Godisch <martin@godisch.de>
Subject: #490271
Date: Fri, 11 Jul 2008 22:59:13 +0200
[Message part 1 (text/plain, inline)]
Hi

I'm currently not able to see the problem to push a _fix_, not a
_workaround_, through stable-security. Please explain.

Bastian

-- 
... The prejudices people feel about each other disappear when they get
to know each other.
		-- Kirk, "Elaan of Troyius", stardate 4372.5
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Manoj Srivastava <srivasta@debian.org>:
Bug#490271; Package selinux-policy-refpolicy-targeted. Full text and rfc822 format available.

Acknowledgement sent to Devin Carraway <devin@debian.org>:
Extra info received and forwarded to list. Copy sent to Manoj Srivastava <srivasta@debian.org>. Full text and rfc822 format available.

Message #20 received at 490271@bugs.debian.org (full text, mbox):

From: Devin Carraway <devin@debian.org>
To: Bastian Blank <waldi@debian.org>
Cc: Devin Carraway <devin@debian.org>, 490271@bugs.debian.org, Martin Godisch <martin@godisch.de>
Subject: Re: #490271
Date: Tue, 15 Jul 2008 00:57:43 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, Jul 11, 2008 at 10:59:13PM +0200, Bastian Blank wrote:
> I'm currently not able to see the problem to push a _fix_, not a
> _workaround_, through stable-security. Please explain.

Pushing a fix to stable-security is easy -- we can patch the needed permission
into refpolicy and ship it out as an update (http://tinyurl.com/5m3oza has a
set of patched packages to do that).  The problem is that with the way the
refpolicy packages work today, this will fix only new installations;
preexisting ones will stay broken.  That will take a little time, and I don't
want to do it without some testing and review, if at all possible with the
refpolicy maintainers themselves -- mistakes in selinux configuration could
either screw us now or set us up for trouble in the future.

In the interim, we can address questions about the near-term breakage with a
documented workaround.  I've drafted one such here:

	http://wiki.debian.org/SELinux/Issues/BindPortRandomization

Edits and clarifications, as well as input on a long-term fix, would be
welcome.


- -- 
Devin  \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com
Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIfFh3U5XKDemr/NIRAmP2AKCZFYeDzyNYtfrlw5falDubIQZO6gCfQWZi
/rV6aSMzAyt2mZHmBB/1qbo=
=jlYt
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Manoj Srivastava <srivasta@debian.org>:
Bug#490271; Package selinux-policy-refpolicy-targeted. Full text and rfc822 format available.

Acknowledgement sent to Devin Carraway <devin@debian.org>:
Extra info received and forwarded to list. Copy sent to Manoj Srivastava <srivasta@debian.org>. Full text and rfc822 format available.

Message #25 received at 490271@bugs.debian.org (full text, mbox):

From: Devin Carraway <devin@debian.org>
To: Martin Godisch <martin@godisch.de>
Cc: Devin Carraway <devin@debian.org>, 490271@bugs.debian.org, Bastian Blank <waldi@debian.org>
Subject: Re: #490271
Date: Thu, 24 Jul 2008 00:07:00 -0700
[Message part 1 (text/plain, inline)]
A tentative fix to refpolicy is here:

	http://klecker.debian.org/~devin/refpolicy/

Martin, can you test these to confirm that they address the problem and check
for trouble during the upgrade?

-- 
Devin  \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com
Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Manoj Srivastava <srivasta@debian.org>:
Bug#490271; Package selinux-policy-refpolicy-targeted. Full text and rfc822 format available.

Message #28 received at 490271@bugs.debian.org (full text, mbox):

From: Martin Godisch <martin@godisch.de>
To: Devin Carraway <devin@debian.org>
Cc: 490271@bugs.debian.org, Bastian Blank <waldi@debian.org>
Subject: Re: #490271
Date: Thu, 24 Jul 2008 12:32:15 +0200
On Thu, Jul 24, 2008 at 00:07:00 -0700, Devin Carraway wrote:

> A tentative fix to refpolicy is here:
> 
> 	http://klecker.debian.org/~devin/refpolicy/
> 
> Martin, can you test these to confirm that they address the problem
> and check for trouble during the upgrade?

Smooth update, no trouble, problem solved, strict policy not tested.

Thank you! -- Martin




Reply sent to Devin Carraway <devin@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Martin Godisch <martin@godisch.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #33 received at 490271-close@bugs.debian.org (full text, mbox):

From: Devin Carraway <devin@debian.org>
To: 490271-close@bugs.debian.org
Subject: Bug#490271: fixed in refpolicy 0.0.20061018-5.1+etch1
Date: Thu, 31 Jul 2008 19:52:16 +0000
Source: refpolicy
Source-Version: 0.0.20061018-5.1+etch1

We believe that the bug you reported is fixed in the latest version of
refpolicy, which is due to be installed in the Debian FTP archive:

refpolicy_0.0.20061018-5.1+etch1.diff.gz
  to pool/main/r/refpolicy/refpolicy_0.0.20061018-5.1+etch1.diff.gz
refpolicy_0.0.20061018-5.1+etch1.dsc
  to pool/main/r/refpolicy/refpolicy_0.0.20061018-5.1+etch1.dsc
selinux-policy-refpolicy-dev_0.0.20061018-5.1+etch1_all.deb
  to pool/main/r/refpolicy/selinux-policy-refpolicy-dev_0.0.20061018-5.1+etch1_all.deb
selinux-policy-refpolicy-doc_0.0.20061018-5.1+etch1_all.deb
  to pool/main/r/refpolicy/selinux-policy-refpolicy-doc_0.0.20061018-5.1+etch1_all.deb
selinux-policy-refpolicy-src_0.0.20061018-5.1+etch1_all.deb
  to pool/main/r/refpolicy/selinux-policy-refpolicy-src_0.0.20061018-5.1+etch1_all.deb
selinux-policy-refpolicy-strict_0.0.20061018-5.1+etch1_all.deb
  to pool/main/r/refpolicy/selinux-policy-refpolicy-strict_0.0.20061018-5.1+etch1_all.deb
selinux-policy-refpolicy-targeted_0.0.20061018-5.1+etch1_all.deb
  to pool/main/r/refpolicy/selinux-policy-refpolicy-targeted_0.0.20061018-5.1+etch1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 490271@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Devin Carraway <devin@debian.org> (supplier of updated refpolicy package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 12 Jul 2008 09:33:09 +0000
Source: refpolicy
Binary: selinux-policy-refpolicy-src selinux-policy-refpolicy-targeted selinux-policy-refpolicy-strict selinux-policy-refpolicy-doc selinux-policy-refpolicy-dev
Architecture: source all
Version: 0.0.20061018-5.1+etch1
Distribution: stable-security
Urgency: high
Maintainer: Manoj Srivastava <srivasta@debian.org>
Changed-By: Devin Carraway <devin@debian.org>
Description: 
 selinux-policy-refpolicy-dev - Headers from the SELinux reference policy for building modules
 selinux-policy-refpolicy-doc - Documentation for the SELinux reference policy
 selinux-policy-refpolicy-src - Source of the SELinux reference policy for customization
 selinux-policy-refpolicy-strict - Strict variant of the SELinux reference policy
 selinux-policy-refpolicy-targeted - Targeted variant of the SELinux reference policy
Closes: 490271
Changes: 
 refpolicy (0.0.20061018-5.1+etch1) stable-security; urgency=high
 .
   * Non-maintainer upload by the security team.
   * Allow named_t to bind to all UDP ports, not just the DNS port;
     this enables DNS port randomization, introduced by bind9
     1:9.3.4-2etch3 in response to DSA-1603-1 / CVE-2008-1447.  The
     change does not represent a vulnerability in refpolicy, rather
     a compatibility fix for an urgent and widely-deployed package.
     (Closes: #490271).
   * Upgrade the bind policy module at upgrade, if and only if the
     previously-installed refpolicy package was <= 0.0.20061018-5
Files: 
 52bc8ea0cab864e990e9dacc4db3b678 859 admin optional refpolicy_0.0.20061018-5.1+etch1.dsc
 1bb326ee1b8aea1fa93c3bd86a3007ee 571487 admin optional refpolicy_0.0.20061018.orig.tar.gz
 bd171f0cfa9adc59d451d176fb32c913 53515 admin optional refpolicy_0.0.20061018-5.1+etch1.diff.gz
 626c93fc13beaa01ff151d9103a7860b 1541610 admin optional selinux-policy-refpolicy-strict_0.0.20061018-5.1+etch1_all.deb
 c00ed4f0ea4ddbb8dd945c24c710c788 1288314 admin optional selinux-policy-refpolicy-targeted_0.0.20061018-5.1+etch1_all.deb
 841f616c8f08b22ed7077c21c1065026 595490 admin optional selinux-policy-refpolicy-src_0.0.20061018-5.1+etch1_all.deb
 bee3f41fe8771b7b88693937814494a3 418666 admin optional selinux-policy-refpolicy-dev_0.0.20061018-5.1+etch1_all.deb
 b082a861eda93f9bc06dd2e2f03ba89d 289230 doc optional selinux-policy-refpolicy-doc_0.0.20061018-5.1+etch1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFIiWrnU5XKDemr/NIRAjQ0AKDDIbUlCu9WggZWQNqGPg0tICpA7gCgieai
h0js2MAsY+nC7M4sL+FUksU=
=B1Kj
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Feb 2009 08:29:13 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 23:18:55 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.