Bug 1707910
| Summary: | SELinux is preventing bind from writing temporary files to /var/named | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | James Ralston <ralston> |
| Component: | selinux-policy-targeted | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED WONTFIX | QA Contact: | Ben Levenson <benl> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 29 | CC: | dwalsh |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-05-15 13:19:42 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Unfortunately named moved the tmp files to /var/named instead of to /tmp. Because of this change, we cannot easily distinguish between zones and tmp files. Please allow boolean to make this working. Thanks, Lukas. I filed an upstream issue to have named create temporary files in a dedicated tmp directory (/tmp or, say, /var/named/tmp) instead of directly in /var/named: https://gitlab.isc.org/isc-projects/bind9/issues/1033 Thanks James. |
Description of problem: Recent versions of bind have added a new behavior of creating temporary files in the /var/named directory, which SELinux blocks. If I place named_t in permissive mode, this is what I see: $ ausearch -m avc -ts today ---- time->Wed May 8 09:29:09 2019 type=AVC msg=audit(1557322149.675:2047): avc: denied { write } for pid=1216 comm="isc-worker0002" name="named" dev="dm-0" ino=319349 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir permissive=1 ---- time->Wed May 8 09:29:09 2019 type=AVC msg=audit(1557322149.680:2048): avc: denied { add_name } for pid=1216 comm="isc-worker0002" name="tmp-fWgY3GyjCy" scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir permissive=1 ---- time->Wed May 8 09:29:09 2019 type=AVC msg=audit(1557322149.680:2049): avc: denied { create } for pid=1216 comm="isc-worker0002" name="tmp-fWgY3GyjCy" scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=file permissive=1 ---- time->Wed May 8 09:29:09 2019 type=AVC msg=audit(1557322149.680:2050): avc: denied { write } for pid=1216 comm="isc-worker0002" path="/var/named/tmp-fWgY3GyjCy" dev="dm-0" ino=1683368 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=file permissive=1 ---- time->Wed May 8 09:29:09 2019 type=AVC msg=audit(1557322149.680:2051): avc: denied { remove_name } for pid=1216 comm="isc-worker0002" name="tmp-fWgY3GyjCy" dev="dm-0" ino=1683368 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir permissive=1 ---- time->Wed May 8 09:29:09 2019 type=AVC msg=audit(1557322149.680:2052): avc: denied { unlink } for pid=1216 comm="isc-worker0002" name="tmp-fWgY3GyjCy" dev="dm-0" ino=1683368 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=file permissive=1 $ find /var -inum 319349 /var/named If I pipe the output of ausearch to audit2allow, I am told: #============= named_t ============== #!!!! This avc can be allowed using the boolean 'named_write_master_zones' allow named_t named_zone_t:dir { add_name remove_name write }; #!!!! This avc can be allowed using the boolean 'named_write_master_zones' allow named_t named_zone_t:file { create unlink write }; But this is wrong. I'm not running named in a DDNS configuration; the master zones I have named configured to serve are static and do not change. I should not need to set this SELinux boolean in order to prevent SELinux from blocking named from writing its temporary files. Version-Release number of selected component (if applicable): $ rpm -q bind selinux-policy-targeted bind-9.11.6-2.P1.fc29.x86_64 selinux-policy-targeted-3.14.2-57.fc29.noarch How reproducible: Install and configure named to serve some static zones. Actual results: SELinux will prevent named from writing temporary files in /var/named. Expected results: SELinux should not prevent named from writing temporary files in /var/named.