Debian Bug report logs -
#490271
bind9: security update breaks named running with selinux
Reported by: Martin Godisch <martin@godisch.de>
Date: Fri, 11 Jul 2008 06:30:02 UTC
Severity: serious
Tags: etch
Fixed in version refpolicy/0.0.20061018-5.1+etch1
Done: Devin Carraway <devin@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, security@debian.org, LaMont Jones <lamont@debian.org>:
Bug#490271; Package bind9.
(full text, mbox, link).
Message #3 received at submit@bugs.debian.org (full text, mbox, reply):
Package: bind9
Version: 9.3.4-2etch3
Tags: etch
Severity: serious
Package: selinux-policy-refpolicy-targeted
Version: 0.0.20061018-5
bind9 security update 9.3.4-2etch3 breaks named running in a selinux
enabled (enforcing) environment:
audit(1215756426.448:248): avc: denied { name_bind } for pid=16218
comm="named" src=12949 scontext=user_u:system_r:named_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
I think you need to add corenet_udp_bind_generic_port(named_t) to the
selinux policy (or revert the security update).
Kind regards,
Martin
Information forwarded to debian-bugs-dist@lists.debian.org, Manoj Srivastava <srivasta@debian.org>:
Bug#490271; Package selinux-policy-refpolicy-targeted.
(full text, mbox, link).
Acknowledgement sent to Devin Carraway <devin@debian.org>:
Extra info received and forwarded to list. Copy sent to Manoj Srivastava <srivasta@debian.org>.
(full text, mbox, link).
Message #10 received at 490271@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Fri, Jul 11, 2008 at 08:26:53AM +0200, Martin Godisch wrote:
> bind9 security update 9.3.4-2etch3 breaks named running in a selinux
> enabled (enforcing) environment:
>
> audit(1215756426.448:248): avc: denied { name_bind } for pid=16218
> comm="named" src=12949 scontext=user_u:system_r:named_t:s0
> tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
>
> I think you need to add corenet_udp_bind_generic_port(named_t) to the
> selinux policy (or revert the security update).
This is a known issue -- we're planning to make a couple of announcements with
a recommended workaround (attached, but pretty much the same as what you
suggest), and try to get it into the next stable point release.
--
Devin \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com
Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2
[bind_debian_security_update.te (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Manoj Srivastava <srivasta@debian.org>:
Bug#490271; Package selinux-policy-refpolicy-targeted.
(full text, mbox, link).
Acknowledgement sent to Bastian Blank <waldi@debian.org>:
Extra info received and forwarded to list. Copy sent to Manoj Srivastava <srivasta@debian.org>.
(full text, mbox, link).
Message #15 received at 490271@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi
I'm currently not able to see the problem to push a _fix_, not a
_workaround_, through stable-security. Please explain.
Bastian
--
... The prejudices people feel about each other disappear when they get
to know each other.
-- Kirk, "Elaan of Troyius", stardate 4372.5
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Manoj Srivastava <srivasta@debian.org>:
Bug#490271; Package selinux-policy-refpolicy-targeted.
(full text, mbox, link).
Acknowledgement sent to Devin Carraway <devin@debian.org>:
Extra info received and forwarded to list. Copy sent to Manoj Srivastava <srivasta@debian.org>.
(full text, mbox, link).
Message #20 received at 490271@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Fri, Jul 11, 2008 at 10:59:13PM +0200, Bastian Blank wrote:
> I'm currently not able to see the problem to push a _fix_, not a
> _workaround_, through stable-security. Please explain.
Pushing a fix to stable-security is easy -- we can patch the needed permission
into refpolicy and ship it out as an update (http://tinyurl.com/5m3oza has a
set of patched packages to do that). The problem is that with the way the
refpolicy packages work today, this will fix only new installations;
preexisting ones will stay broken. That will take a little time, and I don't
want to do it without some testing and review, if at all possible with the
refpolicy maintainers themselves -- mistakes in selinux configuration could
either screw us now or set us up for trouble in the future.
In the interim, we can address questions about the near-term breakage with a
documented workaround. I've drafted one such here:
http://wiki.debian.org/SELinux/Issues/BindPortRandomization
Edits and clarifications, as well as input on a long-term fix, would be
welcome.
- --
Devin \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com
Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIfFh3U5XKDemr/NIRAmP2AKCZFYeDzyNYtfrlw5falDubIQZO6gCfQWZi
/rV6aSMzAyt2mZHmBB/1qbo=
=jlYt
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Manoj Srivastava <srivasta@debian.org>:
Bug#490271; Package selinux-policy-refpolicy-targeted.
(full text, mbox, link).
Acknowledgement sent to Devin Carraway <devin@debian.org>:
Extra info received and forwarded to list. Copy sent to Manoj Srivastava <srivasta@debian.org>.
(full text, mbox, link).
Message #25 received at 490271@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
A tentative fix to refpolicy is here:
http://klecker.debian.org/~devin/refpolicy/
Martin, can you test these to confirm that they address the problem and check
for trouble during the upgrade?
--
Devin \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com
Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Manoj Srivastava <srivasta@debian.org>:
Bug#490271; Package selinux-policy-refpolicy-targeted.
(full text, mbox, link).
Message #28 received at 490271@bugs.debian.org (full text, mbox, reply):
On Thu, Jul 24, 2008 at 00:07:00 -0700, Devin Carraway wrote:
> A tentative fix to refpolicy is here:
>
> http://klecker.debian.org/~devin/refpolicy/
>
> Martin, can you test these to confirm that they address the problem
> and check for trouble during the upgrade?
Smooth update, no trouble, problem solved, strict policy not tested.
Thank you! -- Martin
Reply sent to Devin Carraway <devin@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Martin Godisch <martin@godisch.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #33 received at 490271-close@bugs.debian.org (full text, mbox, reply):
Source: refpolicy
Source-Version: 0.0.20061018-5.1+etch1
We believe that the bug you reported is fixed in the latest version of
refpolicy, which is due to be installed in the Debian FTP archive:
refpolicy_0.0.20061018-5.1+etch1.diff.gz
to pool/main/r/refpolicy/refpolicy_0.0.20061018-5.1+etch1.diff.gz
refpolicy_0.0.20061018-5.1+etch1.dsc
to pool/main/r/refpolicy/refpolicy_0.0.20061018-5.1+etch1.dsc
selinux-policy-refpolicy-dev_0.0.20061018-5.1+etch1_all.deb
to pool/main/r/refpolicy/selinux-policy-refpolicy-dev_0.0.20061018-5.1+etch1_all.deb
selinux-policy-refpolicy-doc_0.0.20061018-5.1+etch1_all.deb
to pool/main/r/refpolicy/selinux-policy-refpolicy-doc_0.0.20061018-5.1+etch1_all.deb
selinux-policy-refpolicy-src_0.0.20061018-5.1+etch1_all.deb
to pool/main/r/refpolicy/selinux-policy-refpolicy-src_0.0.20061018-5.1+etch1_all.deb
selinux-policy-refpolicy-strict_0.0.20061018-5.1+etch1_all.deb
to pool/main/r/refpolicy/selinux-policy-refpolicy-strict_0.0.20061018-5.1+etch1_all.deb
selinux-policy-refpolicy-targeted_0.0.20061018-5.1+etch1_all.deb
to pool/main/r/refpolicy/selinux-policy-refpolicy-targeted_0.0.20061018-5.1+etch1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 490271@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Devin Carraway <devin@debian.org> (supplier of updated refpolicy package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 12 Jul 2008 09:33:09 +0000
Source: refpolicy
Binary: selinux-policy-refpolicy-src selinux-policy-refpolicy-targeted selinux-policy-refpolicy-strict selinux-policy-refpolicy-doc selinux-policy-refpolicy-dev
Architecture: source all
Version: 0.0.20061018-5.1+etch1
Distribution: stable-security
Urgency: high
Maintainer: Manoj Srivastava <srivasta@debian.org>
Changed-By: Devin Carraway <devin@debian.org>
Description:
selinux-policy-refpolicy-dev - Headers from the SELinux reference policy for building modules
selinux-policy-refpolicy-doc - Documentation for the SELinux reference policy
selinux-policy-refpolicy-src - Source of the SELinux reference policy for customization
selinux-policy-refpolicy-strict - Strict variant of the SELinux reference policy
selinux-policy-refpolicy-targeted - Targeted variant of the SELinux reference policy
Closes: 490271
Changes:
refpolicy (0.0.20061018-5.1+etch1) stable-security; urgency=high
.
* Non-maintainer upload by the security team.
* Allow named_t to bind to all UDP ports, not just the DNS port;
this enables DNS port randomization, introduced by bind9
1:9.3.4-2etch3 in response to DSA-1603-1 / CVE-2008-1447. The
change does not represent a vulnerability in refpolicy, rather
a compatibility fix for an urgent and widely-deployed package.
(Closes: #490271).
* Upgrade the bind policy module at upgrade, if and only if the
previously-installed refpolicy package was <= 0.0.20061018-5
Files:
52bc8ea0cab864e990e9dacc4db3b678 859 admin optional refpolicy_0.0.20061018-5.1+etch1.dsc
1bb326ee1b8aea1fa93c3bd86a3007ee 571487 admin optional refpolicy_0.0.20061018.orig.tar.gz
bd171f0cfa9adc59d451d176fb32c913 53515 admin optional refpolicy_0.0.20061018-5.1+etch1.diff.gz
626c93fc13beaa01ff151d9103a7860b 1541610 admin optional selinux-policy-refpolicy-strict_0.0.20061018-5.1+etch1_all.deb
c00ed4f0ea4ddbb8dd945c24c710c788 1288314 admin optional selinux-policy-refpolicy-targeted_0.0.20061018-5.1+etch1_all.deb
841f616c8f08b22ed7077c21c1065026 595490 admin optional selinux-policy-refpolicy-src_0.0.20061018-5.1+etch1_all.deb
bee3f41fe8771b7b88693937814494a3 418666 admin optional selinux-policy-refpolicy-dev_0.0.20061018-5.1+etch1_all.deb
b082a861eda93f9bc06dd2e2f03ba89d 289230 doc optional selinux-policy-refpolicy-doc_0.0.20061018-5.1+etch1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFIiWrnU5XKDemr/NIRAjQ0AKDDIbUlCu9WggZWQNqGPg0tICpA7gCgieai
h0js2MAsY+nC7M4sL+FUksU=
=B1Kj
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 16 Feb 2009 08:29:13 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Jan 30 07:50:07 2024;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.