Bug 1637931

Summary: bind-chroot: /var/named/chroot*/dev/urandom do not have correct label
Product: [Fedora] Fedora Reporter: Petr Menšík <pemensik>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 29CC: dab0816, dwalsh, esm, lvrabec, mgrepl, pemensik, plautrba
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.14.2-40.fc29 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-18 11:06:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1631515    
Attachments:
Description Flags
Proposed fix none

Description Petr Menšík 2018-10-10 11:05:56 UTC
Description of problem:
After update of bind-9.11.4-9.P2.fc29, /dev/urandom was added to bind-chroot directory. Bind however fails to use it, because it has not correct label. Check bug #1631515 for error messages.

Version-Release number of selected component (if applicable):
selinux-policy-3.14.1-44.fc28

How reproducible:
always

Steps to Reproduce:
1. dnf install bind-9.11.4-10.P2.fc29 bind-chroot-9.11.4-10.P2.fc29
2. ls -lZ /var/named/chroot*/dev/urandom
3. cat /dev/random > /dev/null # drop any gathered entropy
4. systemctl start named-chroot

Actual results:
Service fails to start

type=AVC msg=audit(1538083144.528:217): avc:  denied  { open } for  pid=1762 comm="named" path="/dev/urandom" dev="dm-3" ino=1183207 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_conf_t:s0 tclass=chr_file permissive=1


Expected results:
Service can access /dev/urandom in chroot.


Additional info:

Comment 1 Petr Menšík 2018-10-10 11:11:21 UTC
I failed to spot the requirement for it before I added /dev/urandom in chroot and the requirement for it. Until fixed by selinux-policy, it makes bind-chroot unusable on F28, F29 and rawhide.

Comment 2 Petr Menšík 2018-10-10 11:15:20 UTC
Created attachment 1492526 [details]
Proposed fix

Comment 3 Lukas Vrabec 2018-10-15 11:22:35 UTC
Thanks for report and fix. :) 

Author: Lukas Vrabec <lvrabec>
Date:   Mon Oct 15 13:21:00 2018 +0200

    Label correctly /var/named/chroot*/dev/unrandom in bind chroot.
    
    Thanks Petr Mensik <pmensik> for proposed patch.
    BZ(1637931)

Comment 4 Lukas Vrabec 2018-10-15 14:40:03 UTC
*** Bug 1639340 has been marked as a duplicate of this bug. ***

Comment 5 Fedora Update System 2018-10-15 20:23:21 UTC
selinux-policy-3.14.2-39.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-ce273879ac

Comment 6 Fedora Update System 2018-10-16 15:52:09 UTC
selinux-policy-3.14.2-40.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-ce273879ac

Comment 7 Fedora Update System 2018-10-18 11:06:58 UTC
selinux-policy-3.14.2-40.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.