Bug 1353227
| Summary: | openstack-designate AVCs when named/bind tries to read configuration out of /var/lib/designate | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Community] RDO | Reporter: | David Moreau Simard <dmsimard> | ||||||
| Component: | openstack-selinux | Assignee: | Ryan Hallisey <rhallise> | ||||||
| Status: | CLOSED UPSTREAM | QA Contact: | Ofer Blaut <oblaut> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | trunk | CC: | rhallise, srevivo | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | trunk | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2017-04-19 20:36:25 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Created attachment 1176929 [details]
reproducer.sh
Looks like these should be named_zone_t. + fcontext -N -a -t named_zone_t \"$SHAREDSTATEDIR/designate/bind9(/.*)?\" |
Created attachment 1176928 [details] avc.txt With selinux enabled, and designate with the bind9 backend installed through puppet-designate, the following AVCs are fired when named is reloaded with configuration that includes files from /var/lib/designate. In /etc/named.conf, we add the line: include /var/lib/designate/bind9/zones.config; AVCs and reproducer script in attachment (assumes to be running on an ephemeral centos7-minimal installation, it will install on localhost). [root@n48 ~]# ls -alZ /var/lib/designate/ drwxr-xr-x. designate designate system_u:object_r:var_lib_t:s0 . drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 .. drwxrwx---. named named system_u:object_r:var_lib_t:s0 bind9 [root@n48 ~]# restorecon -Rv /var/lib/designate/ [root@n48 ~]# ls -alZ /var/lib/designate/ drwxr-xr-x. designate designate system_u:object_r:var_lib_t:s0 . drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 .. drwxrwx---. named named system_u:object_r:var_lib_t:s0 bind9