Bug 1066333
Summary: | /usr/sbin/named needs write access to the directory /var/named/dyndb-ldap | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Petr Spacek <pspacek> |
Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED NOTABUG | QA Contact: | Ben Levenson <benl> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 20 | CC: | dwalsh, mgrepl, pspacek, thozza |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-02-20 14:44:55 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Petr Spacek
2014-02-18 09:18:45 UTC
Could you attach AVC info? # grep named /var/log/audit/audit.log type=AVC msg=audit(1392726885.485:256): avc: denied { write } for pid=6943 comm="named" name="dyndb-ldap" dev="dm-1" ino=32655 scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:named_zone_t:s0 tclass=dir type=SYSCALL msg=audit(1392726885.485:256): arch=c000003e syscall=83 success=no exit=-13 a0=7fbbea048f50 a1=1c0 a2=fe0 a3=fe items=0 ppid=6939 pid=6943 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 ses=4294967295 tty=(none) comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null) type=SERVICE_START msg=audit(1392726885.491:257): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="named" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' If you need any other information just tell me what to do. Thanks! Miroslav, do you need something else? We would like to see new policy as soon as possible because it blocks us from releasing new bind-dyndb-ldap package to Fedora. Thank you! Either # chcon -R -t named_cache_t /var/named/dyndb-ldap or you can activate the boolean in the scriptlet. Okay, I will activate named_write_master_zones. Thank you for your help! |