Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
BIND
BIND
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 629
    • Issues 629
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 117
    • Merge Requests 117
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • CI/CD
    • Repository
    • Value Stream
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Members
    • Members
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source Projects
  • BINDBIND
  • Issues
  • #1033

Closed
Open
Created May 15, 2019 by James Ralston@qralston

named creates temporary files in /var/named instead of within a dedicated temporary directory

Summary

Recent versions of named have a new behavior of creating temporary files in the /var/named directory, instead of within a designated temporary directory.

This behavior triggers SELinux denials on Linux systems that run SELinux, such as Fedora, because it is not expected that named will need to write to the /var/named directory in scenarios where DDNS is not being used.

A work-around recommended by Red Hat (1) is to set the named_write_master_zones SELinux boolean to true, which will cause SELinux policy to ignore attempts to write into the /var/named directory. (More specifically, it will permit named to create/write/unlink files in a directory with the named_zone_t file context.)

But this isn't a good work-around for sites that are not using DDNS. If I'm not using DDNS, I have every reason to expect that named attempting to create a file in a directory with the named_zone_t label represents a potential security threat (e.g., a successful remote code execution attack against named). This is precisely the type of behavior I want SELinux to block.

Thus, named should not create temporary files in the /var/named directory. If named needs to create temporary files, at least on Unix platforms, named should create temporary files in the /tmp directory. If this is unacceptable for some reason (e.g., because named intends to issue a rename(2) call on the temporary file and does not wish to receive EXDEV), then named should use a dedicated temporary directory within /var/named (e.g., /var/named/tmp) to create temporary files. This temporary directory can be labeled with an appropriate SELinux file context (e.g., named_tmp_t) such that SELinux policy can permit named to create temporary files in this directory, but not in /var/named.

I fully admit that dealing with SELinux is annoying. But many sites are required to run SELinux in enforcing mode in order to satisfy various compliance restrictions. And the effort required to help enable SELinux best practices is minimal.

(1) https://bugzilla.redhat.com/show_bug.cgi?id=1707910

BIND version used

BIND 9.11.6-P1-RedHat-9.11.6-2.P1.fc29 (Extended Support Version) <id:520073a>
running on Linux x86_64 5.0.14-200.fc29.x86_64 #1 SMP Thu May 9 10:46:15 UTC 2019
built by make with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-python=/usr/bin/python3' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--enable-filter-aaaa' '--with-pic' '--disable-static' '--includedir=/usr/include/bind9' '--with-tuning=large' '--with-geoip' '--with-libidn2' '--enable-openssl-hash' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-lmdb=no' '--with-cmocka' '--enable-fixed-rrset' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' '--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' 'CPPFLAGS= -DDIG_SIGCHASE' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
compiled by GCC 8.3.1 20190223 (Red Hat 8.3.1-2)
compiled with OpenSSL version: OpenSSL 1.1.1b FIPS  26 Feb 2019
linked to OpenSSL version: OpenSSL 1.1.1b FIPS  26 Feb 2019
compiled with libxml2 version: 2.9.8
linked to libxml2 version: 20908
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled

Steps to reproduce

Configure a recent version of named to serve a static zone, then start named and issue queries against that zone.

If you trace the named process, you will see it creating temporary files in the /var/named directory.

What is the current bug behavior?

named will create temporary files in the /var/named directory.

What is the expected correct behavior?

named should create temporary files in the /tmp directory or /var/named/tmp directory.

Relevant configuration files

This should be reproducible with any named configuration that serves static zones.

Relevant logs and/or screenshots

None at this time.

Possible fixes

I've been searching through the past few months' of commits, to see if I can identify the exact commit that caused the change, but I don't see anything obvious.

I suspect that what has happened is that named previously did not create temporary files unless DDNS was in use, but a recent feature or change has caused named to create temporary files even when named is serving nothing but static zones.

Meaning, I suspect this behavior doesn't represent a change in how named creates temporary files; I suspect named has always used /var/named for temporary files. The change is probably that named now creates temporary files in normal operation even when DDNS isn't in use. So this is why I am seeing this particular behavior from named now.

Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None