Bug 165017

Summary: Chrooted bind's init script doesn't properly mount/unmount proc
Product: [Fedora] Fedora Reporter: Chris Evich <cevich>
Component: bindAssignee: Martin Stransky <stransky>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 4CC: sundaram
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: FC5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-09-22 02:14:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
fix for problem but may not be complete solution in all situations. none

Description Chris Evich 2005-08-03 15:55:21 UTC
Description of problem:
The script uses "grep" logic to determine if it's chroot'ed proc is mounted. 
However, the check is performed with a variably named root directory.  If the
root dir string ends in a "/" then the search term to grep is incorrect and proc
isn't properly mounted/unmounted.

Steps to Reproduce:
1. Start the named service
2. Stop the named service (proc is not unmounted).
3. Start the named service (get error message about proc already being mounted)

()

Comment 1 Chris Evich 2005-08-03 15:55:21 UTC
Created attachment 117412 [details]
fix for problem but may not be complete solution in all situations.

Comment 2 Jason Vas Dias 2005-08-03 16:57:57 UTC
The workaround is of course NOT to append a trailing '/' onto the
$ROOTDIR setting in /etc/sysconfig/named, or to mount the procfs
on /var/named/chroot/proc in /etc/fstab .

The more general fix would be this line in /etc/init.d/named, @line 29:
'
[ -n "$ROOTDIR" ] && ROOTDIR=`echo $ROOTDIR | sed 's#//*#/#g;s#/$##'`
'

This would deal with any sequence of '/'s in $ROOTDIR:
$ ROOTDIR=///////var///named/////////////////chroot//////////////
$ [ -n "$ROOTDIR" ] && ROOTDIR=`echo $ROOTDIR | sed 's#//*#/#g;s#/$##'`
$ echo $ROOTDIR
/var/named/chroot

This change will go into the next BIND version.

Note that use of the bind-chroot environment is made redundant by use
of SELinux in Enforcing mode; you gain no security by using bind-chroot
with SELinux Enforcing, and can safely do 'rpm -e bind-chroot' .

Comment 3 Chris Evich 2005-08-29 17:25:38 UTC
Agreed, though for a name server running on cheap "non-beefy" hardware, the
performance impact of SELinux is a factor.  

Since I am one to run a name server on
they-don't-make-it-like-they-use-to-hardware, chroot is a nice alternative :)

Comment 4 Rahul Sundaram 2005-09-05 05:59:41 UTC
The performance impact for SELinux using targeted policy should be pretty
negligible. You probably need to try that

Comment 5 Bill Nottingham 2006-09-22 02:14:13 UTC
Closing bugs in MODIFIED state from prior Fedora releases. If this bug persists
in a current Fedora release (such as Fedora Core 5 or later), please reopen and
set the version appropriately.