Bug 156457
Summary: | Chroot-ed named access denied to write/remove/rename log files | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Robert Nichols <rnichols42> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3 | CC: | jvdias |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i686 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-05-18 18:12:19 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Robert Nichols
2005-04-30 16:43:56 UTC
Do you have any specific reason to run named in a chroot? The SELinux policy alone should provide stronger security. The bind-chroot package gets installed by default when you select the "DNS Nameserver" group at install time. No, I don't have a specific need to run named in a chroot jail. For that matter I do not have any specific reason to run SELinux and have no plans to use "enforcing" mode. I'm just reporting a conflict between selinux-policy-targeted and the default installation of the DNS nameserver. What is /var/named/chroot/var/log/? This is not part of a standard install. Dan Yes, you should be installing the bind-chroot package to run named in a chroot environment. Modern BIND named calls openlog() BEFORE doing the chroot, and thus does not require /dev/log in the chroot. It does, however, require the proc filesystem to be mounted under the chroot's /proc for various sysctl and networking calls to work correctly, which you'd get if you have bind-chroot and bind-9.3.1-+ / bind-9.2.5-+ installed. Here's what happened. I have a logging statement requesting logging to a file /var/log/named-info.log and not by using the syslog facility. BIND is creating that file, and rotating existing versions of that file, in the chrooted environment. Here's named.conf logging statement that causes the problem: logging { channel info_log { file "/var/log/named-info.log" versions 3; severity info; }; category default { info_log; }; }; As I originally noted, I do have bind-9.2.5-1 and bind-chroot-9.2.5-1 installed. There is no /proc filesystem in the chrooted environment, nor is there a /dev/log there. This is looking like multiple bugs in the BIND packages, rather than a problem in SELinux. There is BIND SELinux policy only for the files and directories installed as part of the BIND package. If you want named to create new files in directories not shipped as part of the BIND package, then you need to create SELinux policy for them - for your /var/log directory, you'd need to do: # touch /var/named/var/log/named-info.log # chown -R named:named /var/named/var/log # chcon -R system_u:object_r:named_cache_t /var/named/var/log We can't provide SELinux policy for every new file and directory that named may be configured to touch. We do provide policy for named to create files in the $ROOTDIR/var/named/data and $ROOTDIR/var/named/slaves directory, but it is up to users to configure named to place new files there. For the next version of BIND, I'll be updating the named man-page with more documentation about the SELinux policy issues. And for the next bind-9.2.5 release for FC-3, the /proc filesystem will be mounted under the chroot. |