Bug 2040015
| Summary: | restorecon would relabel /etc/named.conf.bak | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Jiri Jaburek <jjaburek> |
| Component: | bind-dyndb-ldap | Assignee: | Rafael Jeffman <rjeffman> |
| Status: | CLOSED WONTFIX | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 9.0 | CC: | lvrabec, mmalik |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-07-12 07:28:05 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
selinux-policy cannot handle all backup file names. Switching to the bind component to assess if the file can be kept with a label not matching the default file context database or if restorecon should be run. Not really sure how to handle this issue. I think having backup with named_conf_t is correct. It would allow user to mv /etc/named.conf{.bak,} if it gone wrong. On the other hand I don't expect policy would match any common backup suffixes. Moving to bind-dyndb-ldap component to evaluate. Either call also restorecond on backup file or close it with WONTFIX.
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release. Therefore, it is being closed. If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened. |
Description of problem: $ dnf install bind # do this first, separately $ dnf install bind-dyndb-ldap $ restorecon -Rvvn /etc/ Would relabel /etc/named.conf.bak from system_u:object_r:named_conf_t:s0 to system_u:object_r:etc_t:s0 Version-Release number of selected component (if applicable): RHEL-9.0.0-20220108.3 bind-9.16.23-1.el9.x86_64 selinux-policy-34.1.20-1.el9.noarch Additional information: This happens because the postinst script of bind-dyndb-ldap seems to back up the config before rewriting it: $ rpm --scripts -q bind-dyndb-ldap postinstall scriptlet (using /bin/sh): [ -f /etc/named.conf ] || exit 0 ... while read -r PATTERN do SEDSCRIPT+="$PATTERN" done <<EOF /^\s*dynamic-db/,/};/ { ... } EOF sed -i.bak -e "$SEDSCRIPT" /etc/named.conf This is actually a sed functionality I didn't know about - using the -i argument with a suffix, but the manpage does mention it.