Bug 1196569

Summary: named-sdb runs as initrc_t
Product: Red Hat Enterprise Linux 6 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.7CC: dwalsh, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-262.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1030260 Environment:
Last Closed: 2015-07-22 07:11:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 832330, 1197089    

Description Milos Malik 2015-02-26 10:15:07 UTC 
Description of problem:
 * when bind-sdb package is installed, the service initscript executes named-sdb instead of named

Version-Release number of selected component (if applicable):
bind-9.8.2-0.35.rc1.el6.x86_64
bind-libs-9.8.2-0.35.rc1.el6.x86_64
bind-sdb-9.8.2-0.35.rc1.el6.x86_64
bind-utils-9.8.2-0.35.rc1.el6.x86_64
selinux-policy-3.7.19-260.el6_6.2.noarch
selinux-policy-doc-3.7.19-260.el6_6.2.noarch
selinux-policy-minimum-3.7.19-260.el6_6.2.noarch
selinux-policy-mls-3.7.19-260.el6_6.2.noarch
selinux-policy-targeted-3.7.19-260.el6_6.2.noarch

How reproducible:
always

Steps to Reproduce:
# ps -efZ | grep named
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 10863 4099  0 11:13 pts/0 00:00:00 grep named
# service named start
Starting named:                                            [  OK  ]
# ps -efZ | grep named
unconfined_u:system_r:initrc_t:s0 named  10885     1  0 11:13 ?        00:00:00 /usr/sbin/named-sdb -u named
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 10893 4099  0 11:13 pts/0 00:00:00 grep named
#

Actual results:
 * named-sdb runs as initrc_t

Expected results:
 * named-sdb runs under the same label as named (named_t)
Comment 1 Miroslav Grepl 2015-03-04 10:16:26 UTC 
MIlos,
what does

# rpm -ql bind-sdb

and 

# chcon -t named_exec_t /usr/sbin/named-sdb
Comment 2 Milos Malik 2015-03-04 12:43:38 UTC 
# rpm -ql bind-sdb
/etc/openldap/schema
/etc/openldap/schema/dnszone.schema
/usr/sbin/ldap2zone
/usr/sbin/named-sdb
/usr/sbin/zone2ldap
/usr/sbin/zone2sqlite
/usr/sbin/zonetodb
/usr/share/doc/bind-sdb-9.8.2
/usr/share/doc/bind-sdb-9.8.2/INSTALL.ldap
/usr/share/doc/bind-sdb-9.8.2/README.ldap
/usr/share/doc/bind-sdb-9.8.2/README.sdb_pgsql
/usr/share/man/man1/zone2ldap.1.gz
#

After applying the named_exec_t label the daemon runs as named_t. The only AVCs that appear are:
----
time->Wed Mar  4 13:37:22 2015
type=PATH msg=audit(1425472642.462:1444): item=0 name="/proc/sys/vm/overcommit_memory" inode=648069 dev=00:03 mode=040555 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:unlabeled_t:s0 nametype=NORMAL
type=CWD msg=audit(1425472642.462:1444):  cwd="/var/named"
type=SYSCALL msg=audit(1425472642.462:1444): arch=c000003e syscall=2 success=no exit=-13 a0=7f5bc071ac60 a1=80000 a2=ef a3=26110 items=1 ppid=30053 pid=30055 auid=0 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=44 comm="named-sdb" exe="/usr/sbin/named-sdb" subj=unconfined_u:system_r:named_t:s0 key=(null)
type=AVC msg=audit(1425472642.462:1444): avc:  denied  { search } for  pid=30055 comm="named-sdb" scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=dir
----

They are related to recent change in glibc (BZ#867679).
Comment 3 Miroslav Grepl 2015-03-04 13:35:09 UTC 
commit 33048cda1331e17cccc9981cbdd600f03e015c6b
Author: Miroslav Grepl <mgrepl>
Date:   Wed Mar 4 14:32:25 2015 +0100

    Add support for /usr/sbin/named-sdb.
Comment 6 errata-xmlrpc 2015-07-22 07:11:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1375.html