Bug 1030260

Summary: named-sdb runs as init_t
Product: Red Hat Enterprise Linux 7 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: mgrepl
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1196569 (view as bug list) Environment:
Last Closed: 2014-06-13 12:28:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 877026    
Bug Blocks:    

Description Milos Malik 2013-11-14 09:05:51 UTC 
Description of problem:
# matchpathcon /usr/sbin/named-sdb 
/usr/sbin/named-sdb	system_u:object_r:bin_t:s0
#

Version-Release number of selected component (if applicable):
bind-9.9.4-4.el7.x86_64
bind-chroot-9.9.4-4.el7.x86_64
bind-libs-9.9.4-4.el7.x86_64
bind-libs-lite-9.9.4-4.el7.x86_64
bind-license-9.9.4-4.el7.noarch
bind-sdb-9.9.4-4.el7.x86_64
bind-utils-9.9.4-4.el7.x86_64
selinux-policy-3.12.1-99.el7.noarch
selinux-policy-devel-3.12.1-99.el7.noarch
selinux-policy-doc-3.12.1-99.el7.noarch
selinux-policy-minimum-3.12.1-99.el7.noarch
selinux-policy-mls-3.12.1-99.el7.noarch
selinux-policy-targeted-3.12.1-99.el7.noarch

How reproducible:
always

Steps to Reproduce:
# service named-sdb status
Redirecting to /bin/systemctl status  named-sdb.service
named-sdb.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named-sdb.service; disabled)
   Active: inactive (dead)

Nov 14 10:00:28 rhel70.localdomain systemd[1]: Started Berkeley Internet Nam....
Nov 14 10:00:28 rhel70.localdomain named-sdb[13856]: running
Nov 14 10:00:41 rhel70.localdomain systemd[1]: Stopping Berkeley Internet Na....
Nov 14 10:00:41 rhel70.localdomain named-sdb[13856]: received control channel...
Nov 14 10:00:41 rhel70.localdomain named-sdb[13856]: shutting down: flushing ...
Nov 14 10:00:41 rhel70.localdomain named-sdb[13856]: stopping command channel...
Nov 14 10:00:41 rhel70.localdomain named-sdb[13856]: stopping command channel...
Nov 14 10:00:41 rhel70.localdomain named-sdb[13856]: no longer listening on 1...
Nov 14 10:00:41 rhel70.localdomain named-sdb[13856]: no longer listening on :...
Nov 14 10:00:41 rhel70.localdomain systemd[1]: Stopped Berkeley Internet Nam....
Hint: Some lines were ellipsized, use -l to show in full.
# service named-sdb start
Redirecting to /bin/systemctl start  named-sdb.service
# service named-sdb status
Redirecting to /bin/systemctl status  named-sdb.service
named-sdb.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named-sdb.service; disabled)
   Active: active (running) since Thu 2013-11-14 10:02:56 CET; 1s ago
  Process: 13968 ExecStart=/usr/sbin/named-sdb -u named $OPTIONS (code=exited, status=0/SUCCESS)
  Process: 13965 ExecStartPre=/usr/sbin/named-checkconf -z /etc/named.conf (code=exited, status=0/SUCCESS)
  Process: 13963 ExecStartPre=/usr/libexec/generate-rndc-key.sh (code=exited, status=0/SUCCESS)
 Main PID: 13970 (named-sdb)
   CGroup: /system.slice/named-sdb.service
           └─13970 /usr/sbin/named-sdb -u named

Nov 14 10:02:56 rhel70.localdomain named-sdb[13970]: command channel listenin...
Nov 14 10:02:56 rhel70.localdomain named-sdb[13970]: command channel listenin...
Nov 14 10:02:56 rhel70.localdomain named-sdb[13970]: managed-keys-zone: loade...
Nov 14 10:02:56 rhel70.localdomain named-sdb[13970]: zone 0.in-addr.arpa/IN: ...
Nov 14 10:02:56 rhel70.localdomain named-sdb[13970]: zone localhost/IN: loade...
Nov 14 10:02:56 rhel70.localdomain named-sdb[13970]: zone 1.0.0.127.in-addr.a...
Nov 14 10:02:56 rhel70.localdomain named-sdb[13970]: zone 1.0.0.0.0.0.0.0.0.0...
Nov 14 10:02:56 rhel70.localdomain named-sdb[13970]: zone localhost.localdoma...
Nov 14 10:02:56 rhel70.localdomain named-sdb[13970]: all zones loaded
Nov 14 10:02:56 rhel70.localdomain systemd[1]: Started Berkeley Internet Nam....
Nov 14 10:02:56 rhel70.localdomain named-sdb[13970]: running
Hint: Some lines were ellipsized, use -l to show in full.
# ps -efZ | grep named
system_u:system_r:init_t:s0     named    13970     1  0 10:02 ?        00:00:00 /usr/sbin/named-sdb -u named
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 13986 2470  0 10:03 pts/0 00:00:00 grep --color=auto named
#

Actual results:
 * named-sdb runs as init_t

Expected results:
 * named-sdb runs as named_t
Comment 1 Lukas Vrabec 2014-01-17 09:53:31 UTC 
commit e288e13cf463d98eb29fbcb2f74fb73edf7741dd
Author: Lukas Vrabec <lvrabec>
Date:   Fri Jan 17 10:52:41 2014 +0100

    Added support for named-sdb in bind policy
Comment 3 Ludek Smid 2014-06-13 12:28:19 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.