Bug 1580389

Summary: bind-dyndb-ldap post script enables setsetbool named_write_master_zones on installation
Product: Red Hat Enterprise Linux 7 Reporter: Tomáš Hozza <thozza>
Component: bind-dyndb-ldapAssignee: Alexander Bokovoy <abokovoy>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.6CC: ksiddiqu, ndehadra, pemensik
Target Milestone: rc   
Target Release: 7.6   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: bind-dyndb-ldap-11.1-5 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1573998
: 1639410 (view as bug list) Environment:
Last Closed: 2019-08-06 13:04:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1573998, 1574003    
Bug Blocks:    
Attachments:
Description Flags
Remove setsebool toggling, depend on bind doing it none

Description Tomáš Hozza 2018-05-21 11:59:26 UTC 
+++ This bug was initially created as a clone of Bug #1573998 +++

Description of problem:
Setsebool named_write_master_zones is permanently turned on when bind-dyndb-ldap is installed. It was required because home directory /var/named is not writeable by named daemon. This plugin requires /var/named/dyndb-ldap to be writeable by plugin. Mentioned setsebool is turned always off on uninstallation, which blocks change of default on that boolean. It would be changed on each uninstallation to non-default value.

Version-Release number of selected component (if applicable):
bind-dyndb-ldap-11.1-10.fc27

How reproducible:
always

Steps to Reproduce: 
1. getsebool named_write_master_zones
2. dnf install bind-dyndb-ldap
3. getsebool named_write_master_zones
4. dnf remove bind-dyndb-ldap
5. getsebool named_write_master_zones


Actual results:
named_write_master_zones --> off
named_write_master_zones --> on
named_write_master_zones --> off

Expected results:
named_write_master_zones --> off
named_write_master_zones --> off
named_write_master_zones --> off

Additional info:
I think /var/named/dyndb-ldap directory should have label named_cache_t instead of named_zone_t.
With upcoming change, it should behave the same way, but this changing has to be removed. Once selinux-policy is changed, new package must conflict with previous policy. bind package would conflict also.
Comment 1 Tomáš Hozza 2018-05-21 12:09:54 UTC 
*** Bug 1580388 has been marked as a duplicate of this bug. ***
Comment 2 Petr Menšík 2018-05-30 10:18:51 UTC 
Created attachment 1445754 [details]
Remove setsebool toggling, depend on bind doing it
Comment 3 Alexander Bokovoy 2018-09-27 11:15:03 UTC 
Target next minor version.
Comment 7 Nikhil Dehadrai 2019-06-12 10:08:07 UTC 
bind-dyndb-ldap-11.1-6.el7.x86_64 

Tested the bug with following observations:

[root@auto-hv-01-guest07 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.7 Beta (Maipo)
[root@auto-hv-01-guest07 ~]# rpm -qa | grep bind
rpcbind-0.2.0-48.el7.x86_64
[root@auto-hv-01-guest07 ~]# rpm -q ipa-server
package ipa-server is not installed
[root@auto-hv-01-guest07 ~]# getsebool named_write_master_zones
named_write_master_zones --> off
[root@auto-hv-01-guest07 ~]# 
[root@auto-hv-01-guest07 ~]# 
[root@auto-hv-01-guest07 ~]# yum -y install bind-dyndb-ldap
[root@auto-hv-01-guest07 ~]# getsebool named_write_master_zones
named_write_master_zones --> on


[root@auto-hv-01-guest07 ~]# yum erase bind* -y
[root@auto-hv-01-guest07 ~]# getsebool named_write_master_zones
named_write_master_zones --> off
[root@auto-hv-01-guest07 ~]#
Comment 9 Nikhil Dehadrai 2019-06-24 07:48:46 UTC 
Based on observations in above comment#7 and comment#8, marking the status to bug to 'VERIFIED'
Comment 11 errata-xmlrpc 2019-08-06 13:04:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2195