Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2165220

Summary:	selinux-policy-targeted is preventing named-chroot from starting due to preventing logging inside the chroot /var/named/chroot/var/data
Product:	Red Hat Enterprise Linux 9	Reporter:	David <webmaster>
Component:	selinux-policy	Assignee:	Nikola Knazekova <nknazeko>
Status:	CLOSED WONTFIX	QA Contact:	BaseOS QE Security Team <qe-baseos-security>
Severity:	high	Docs Contact:
Priority:	medium
Version:	9.1	CC:	lvrabec, mmalik, zpytela
Target Milestone:	rc	Keywords:	Triaged
Target Release:	---	Flags:	pm-rhel: mirror+
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2023-08-04 14:56:45 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description David 2023-01-28 15:39:47 UTC

Description of problem:

named-chroot refuses to start due to selinux-policy-targeted

Version-Release number of selected component (if applicable):
selinux-policy-targeted-34.1.43-1.el9.noarch

How reproducible:
If selinux is enforcing completely reproducible 100%

systemctl restart named-chroot 

Steps to Reproduce:
1. Ensure selinux is enforcing
2. Start or restart named-chroot
3.

Actual results:

named-chroot refuses to start or restart.

journalctl -xeu named-chroot     

Jan 28 07:13:57 server.idb.com.au named[167454]: automatic empty zone: HOME.ARPA
Jan 28 07:13:57 server.idb.com.au named[167454]: command channel listening on 127.0.0.1#953
Jan 28 07:13:57 server.idb.com.au named[167454]: isc_stdio_open 'data/named.run' failed: permission denied
Jan 28 07:13:57 server.idb.com.au named[167454]: configuring logging: permission denied
Jan 28 07:13:57 server.idb.com.au named[167454]: loading configuration: permission denied
Jan 28 07:13:57 server.idb.com.au named[167454]: exiting (due to fatal error)
Jan 28 07:13:57 server.idb.com.au systemd[1]: named-chroot.service: Control process exited, code=exited, status=1/FAILURE




sealert -l 257d83aa-4d72-4e4b-aaea-1d01aff5273b

Jan 28 03:25:00 server setroubleshoot[36205]: SELinux is preventing /usr/sbin/named from append access on the file queries. For complete SELinux messages run: sealert -l 257d83aa-4d72-4e4b-aaea-1d01aff5273b
Jan 28 03:25:00 server setroubleshoot[36205]: SELinux is preventing /usr/sbin/named from append access on the file queries.#012#012*****  Plugin catchall_labels (83.8 confidence) suggests   *******************#012#012If you want to allow named to have append access on the queries file#012Then you need to change the label on queries#012Do#012# semanage fcontext -a -t FILE_TYPE 'queries'#012where FILE_TYPE is one of the following: NetworkManager_log_t, NetworkManager_tmp_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_log_t, acct_data_t, admin_crontab_tmp_t, admin_home_t, afs_logfile_t, aide_log_t, alsa_tmp_t, amanda_log_t, amanda_tmp_t, antivirus_log_t, antivirus_tmp_t, apcupsd_log_t, apcupsd_tmp_t, apmd_log_t, apmd_tmp_t, arpwatch_tmp_t, asterisk_log_t, asterisk_tmp_t, auditadm_sudo_tmp_t, auditd_tmp_t, auth_cache_t, automount_tmp_t, awstats_tmp_t, bacula_log_t, bacula_tmp_t, bitlbee_log_t, bitlbee_tmp_t, blueman_tmp_t, bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t, bluetooth_tmp_t, boinc_log_t, boinc_project_tmp_t, boinc_tmp_t, bootloader_tmp_t, brltty_log_t, bugzilla_tmp_t, calamaris_log_t, callweaver_log_t, canna_log_t, cardmgr_dev_t, ccs_tmp_t, ccs_var_lib_t, ccs_var_log_t, cdcc_tmp_t, certmaster_var_log_t, certmonger_tmp_t, cfengine_log_t, cgred_log_t, checkpc_log_t, chrome_sandbox_tmp_t, chronyd_tmp_t, chronyd_var_log_t, cinder_api_tmp_t, cinder_backup_tmp_t, cinder_log_t, cinder_scheduler_tmp_t, cinder_volume_tmp_t, cloud_init_tmp_t, cloud_log_t, cluster_tmp_t, cluster_var_log_t, cobbler_tmp_t, cobbler_var_log_t, cockpit_tmp_t, cockpit_tmpfs_t, collectd_log_t, collectd_script_tmp_t, colord_tmp_t, comsat_tmp_t, condor_log_t, condor_master_tmp_t, condor_schedd_tmp_t, condor_startd_tmp_t, conman_log_t, conman_tmp_t, conntrackd_log_t, consolekit_log_t, couchdb_log_t, couchdb_tmp_t, crack_tmp_t, cron_log_t, crond_tmp_t, crontab_tmp_t, ctdbd_log_t, ctdbd_tmp_t, cups_pdf_tmp_t, cupsd_log_t, cupsd_lpd_tmp_t, cupsd_tmp_t, cvs_tmp_t, cyphesis_log_t, cyphesis_tmp_t, cyrus_tmp_t, dbadm_sudo_tmp_t, dbskkd_tmp_t, dcc_client_tmp_t, dcc_dbclean_tmp_t, dccd_tmp_t, dccifd_tmp_t, dccm_tmp_t, ddclient_log_t, ddclient_tmp_t, deltacloudd_log_t, deltacloudd_tmp_t, denyhosts_var_log_t, devicekit_tmp_t, devicekit_var_log_t, dhcpc_tmp_t, dhcpd_tmp_t, dirsrv_snmp_var_log_t, dirsrv_tmp_t, dirsrv_var_log_t, dirsrvadmin_tmp_t, disk_munin_plugin_tmp_t, dkim_milter_tmp_t, dlm_controld_var_log_t, dnsmasq_tmp_t, dnsmasq_var_log_t, dnssec_trigger_tmp_t, dnssec_trigger_var_run_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t, dovecot_tmp_t, dovecot_var_log_t, drbd_tmp_t, dspam_log_t, evtchnd_var_log_t, exim_log_t, exim_tmp_t, fail2ban_log_t, fail2ban_tmp_t, faillog_t, fenced_tmp_t, fenced_var_log_t, fetchmail_log_t, fingerd_log_t, firewalld_tmp_t, firewalld_var_log_t, firewallgui_tmp_t, foghorn_var_log_t, fprintd_tmp_t, fsadm_log_t, fsadm_tmp_t, fsdaemon_tmp_t, ftpd_tmp_t, ftpdctl_tmp_t, games_tmp_t, games_tmpfs_t, gconf_tmp_t, geoclue_tmp_t, getty_log_t, getty_tmp_t, gfs_controld_var_log_t, git_script_tmp_t, gkeyringd_tmp_t, glance_log_t, glance_registry_tmp_t, glance_tmp_t, glusterd_log_t, glusterd_tmp_t, gpg_agent_tmp_t, gpg_agent_tmpfs_t, gpg_pinentry_tmp_t, gpg_pinentry_tmpfs_t, gpm_tmp_t, groupd_var_log_t, gssd_tmp_t, haproxy_var_log_t, hsqldb_tmp_t, httpd_log_t, httpd_php_tmp_t, httpd_suexec_tmp_t, httpd_tmp_t, ibacm_log_t, icecast_log_t, inetd_child_tmp_t, inetd_log_t, inetd_tmp_t, init_tmp_t, initrc_tmp_t, initrc_var_log_t, innd_log_t, insights_client_tmp_t, insights_client_var_log_t, ipsec_log_t, ipsec_tmp_t, iptables_tmp_t, iscsi_log_t, iscsi_tmp_t, iwhd_log_t, jetty_log_t, jetty_tmp_t, jockey_var_log_t, kadmind_log_t, kadmind_tmp_t, kdumpctl_tmp_t, kdumpgui_tmp_t, keepalived_tmp_t, keystone_log_t, keystone_tmp_t, kismet_log_t, kismet_tmp_t, kismet_tmpfs_t, klogd_tmp_t, kmod_tmp_t, krb5_host_rcache_t, krb5_keytab_t, krb5kdc_log_t, krb5kdc_tmp_t, ksmtuned_log_t, ktalkd_log_t, ktalkd_tmp_t, l2tpd_tmp_t, lastlog_t, ldconfig_tmp_t, livecd_tmp_t, logrotate_mail_tmp_t, logrotate_tmp_t, logwatch_mail_tmp_t, logwatch_tmp_t, lpd_tmp_t, lpr_tmp_t, lsassd_tmp_t, lsmd_plugin_tmp_t, lvm_tmp_t, mail_munin_plugin_tmp_t, mailman_cgi_tmp_t, mailman_log_t, mailman_mail_tmp_t, mailman_queue_tmp_t, mcelog_log_t, mdadm_log_t, mdadm_tmp_t, mediawiki_tmp_t, minidlna_log_t, mirrormanager_log_t, mock_tmp_t, mojomojo_tmp_t, mongod_log_t, mongod_tmp_t, motion_log_t, mount_tmp_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mozilla_tmp_t, mozilla_tmpfs_t, mpd_log_t, mpd_tmp_t, mplayer_tmpfs_t, mrtg_log_t, mscan_tmp_t, munin_log_t, munin_script_tmp_t, munin_tmp_t, mysqld_log_t, mysqld_tmp_t, mythtv_var_log_t, naemon_log_t, nagios_eventhandler_plugin_tmp_t, nagios_log_t, nagios_openshift_plugin_tmp_t, nagios_system_plugin_tmp_t, nagios_tmp_t, named_cache_t, named_log_t, named_tmp_t, named_var_run_t, named_zone_t, netutils_tmp_t, neutron_log_t, neutron_tmp_t, nfsd_tmp_t, nova_log_t, nova_tmp_t, nscd_log_t, nsd_log_t, nsd_tmp_t, ntop_tmp_t, ntpd_log_t, ntpd_tmp_t, numad_var_log_t, nut_upsd_tmp_t, nut_upsdrvctl_tmp_t, nut_upsmon_tmp_t, nx_server_tmp_t, opendnssec_tmp_t, openhpid_log_t, openshift_app_tmp_t, openshift_cgroup_read_tmp_t, openshift_cron_tmp_t, openshift_initrc_tmp_t, openshift_log_t, openshift_tmp_t, opensm_log_t, openvpn_status_t, openvpn_tmp_t, openvpn_var_log_t, openvswitch_log_t, openvswitch_tmp_t, openwsman_log_t, openwsman_tmp_t, oracleasm_tmp_t, osad_log_t, pam_timestamp_tmp_t, pcp_log_t, pcp_tmp_t, pegasus_openlmi_storage_tmp_t, pegasus_tmp_t, pesign_tmp_t, piranha_log_t, piranha_web_tmp_t, pkcs_slotd_log_t, pkcs_slotd_tmp_t, pki_log_t, pki_ra_log_t, pki_tomcat_log_t, pki_tomcat_tmp_t, pki_tps_log_t, plymouthd_var_log_t, podsleuth_tmp_t, podsleuth_tmpfs_t, policykit_tmp_t, polipo_log_t, portmap_tmp_t, postfix_bounce_tmp_t, postfix_cleanup_tmp_t, postfix_local_tmp_t, postfix_map_tmp_t, postfix_pickup_tmp_t, postfix_pipe_tmp_t, postfix_qmgr_tmp_t, postfix_smtp_tmp_t, postfix_smtpd_tmp_t, postfix_virtual_tmp_t, postgresql_log_t, postgresql_tmp_t, pppd_log_t, pppd_tmp_t, pptp_log_t, prelink_log_t, prelink_tmp_t, prelude_lml_tmp_t, prelude_log_t, privoxy_log_t, procmail_log_t, procmail_tmp_t, prosody_log_t, prosody_tmp_t, psad_tmp_t, psad_var_log_t, pulseaudio_tmpfs_t, puppet_log_t, puppet_tmp_t, puppetmaster_tmp_t, pyicqt_log_t, qdiskd_var_log_t, qpidd_tmp_t, rabbitmq_tmp_t, rabbitmq_var_log_t, racoon_tmp_t, radiusd_log_t, realmd_tmp_t, redis_log_t, redis_tmp_t, rhcd_tmp_t, rhcd_var_log_t, rhev_agentd_log_t, rhev_agentd_tmp_t, rhsmcertd_log_t, rhsmcertd_tmp_t, ricci_modcluster_var_log_t, ricci_tmp_t, ricci_var_log_t, rkhunter_var_lib_t, rlogind_tmp_t, rolekit_tmp_t, rpcbind_tmp_t, rpm_log_t, rpm_script_tmp_t, rpm_tmp_t, rpmdb_tmp_t, rrdcached_tmp_t, rsync_log_t, rsync_tmp_t, rtas_errd_log_t, rtas_errd_tmp_t, samba_log_t, samba_net_tmp_t, samba_var_t, sanlock_log_t, sbd_tmpfs_t, sblim_tmp_t, secadm_sudo_tmp_t, sectool_tmp_t, sectool_var_log_t, selinux_munin_plugin_tmp_t, semanage_tmp_t, sendmail_log_t, sendmail_tmp_t, sensord_log_t, services_munin_plugin_tmp_t, session_dbusd_tmp_t, setroubleshoot_fixit_tmp_t, setroubleshoot_tmp_t, setroubleshoot_var_log_t, sge_tmp_t, shorewall_log_t, shorewall_tmp_t, slapd_log_t, slapd_tmp_t, slpd_log_t, smbd_tmp_t, smoltclient_tmp_t, smsd_log_t, smsd_tmp_t, snapperd_log_t, snmpd_log_t, snort_log_t, snort_tmp_t, sosreport_tmp_t, soundd_tmp_t, spamc_tmp_t, spamd_log_t, spamd_tmp_t, speech_dispatcher_log_t, speech_dispatcher_tmp_t, squid_log_t, squid_tmp_t, squirrelmail_spool_t, ssh_agent_tmp_t, ssh_keygen_tmp_t, ssh_tmpfs_t, sssd_var_log_t, staff_sudo_tmp_t, stapserver_log_t, stapserver_tmp_t, stapserver_tmpfs_t, stunnel_log_t, stunnel_tmp_t, sudo_log_t, svirt_tmp_t, svnserve_log_t, svnserve_tmp_t, swat_tmp_t, swift_tmp_t, sysadm_passwd_tmp_t, sysadm_sudo_tmp_t, syslogd_tmp_t, sysstat_log_t, system_cronjob_tmp_t, system_dbusd_tmp_t, system_mail_tmp_t, system_munin_plugin_tmp_t, systemd_importd_tmp_t, targetd_tmp_t, tcpd_tmp_t, telepathy_gabble_tmp_t, telepathy_idle_tmp_t, telepathy_logger_tmp_t, telepathy_mission_control_tmp_t, telepathy_msn_tmp_t, telepathy_salut_tmp
Jan 28 03:25:57 server setroubleshoot[36404]: SELinux is preventing /usr/sbin/named from append access on the file network. For complete SELinux messages run: sealert -l 257d83aa-4d72-4e4b-aaea-1d01aff5273b


Cheers,

David


Expected results:

named-chroot should start or restart and log into data/ which is inside the chroot at /var/named/chroot/var/data

Additional info:

Comment 1 David 2023-01-28 17:40:52 UTC

I just found another issue related to selinux-policy, this time concerning sshd:

Jan 28 09:33:01 server setroubleshoot[181272]: SELinux is preventing /usr/sbin/sshd from write access on the sock_file /var/lib/mysql/mysql.sock. For complete SELinux messages run: sealert -l 888712f0-b339-4c8d-9412-c551f5d6dd3b
Jan 28 09:33:01 server setroubleshoot[181272]: SELinux is preventing /usr/sbin/sshd from write access on the sock_file /var/lib/mysql/mysql.sock.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that sshd should be allowed write access on the mysql.sock sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'sshd' --raw | audit2allow -M my-sshd#012# semodule -X 300 -i my-sshd.pp#012



Raw Audit Messages
type=AVC msg=audit(1674927178.683:84366): avc:  denied  { write } for  pid=181250 comm="sshd" name="mysql.sock" dev="dm-0" ino=44433509 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mysqld_var_run_t:s0 tclass=sock_file permissive=1


type=AVC msg=audit(1674927178.683:84366): avc:  denied  { connectto } for  pid=181250 comm="sshd" path="/var/lib/mysql/mysql.sock" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:mysqld_t:s0 tclass=unix_stream_socket permissive=1


type=SYSCALL msg=audit(1674927178.683:84366): arch=x86_64 syscall=connect success=yes exit=0 a0=8 a1=7ffefe3941d0 a2=6e a3=10 items=0 ppid=882 pid=181250 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)

Hash: sshd,sshd_t,mysqld_var_run_t,sock_file,write

Cheers,

David

Comment 2 Nikola Knazekova 2023-02-03 14:06:46 UTC

Hi David,

why is sshd trying to access mysql? 
Did you make any changes to the config file?

Thanks,
Nikola

Comment 3 David 2023-02-03 14:23:14 UTC

Hey Nikola,

No it’s a clean install running Plesk. I only have changed SSHD to enforce public key + password and set max 2 attempts.

What config files do you want to see in particular?

Cheers,

David

Comment 5 Nikola Knazekova 2023-08-04 14:56:45 UTC

Hi David, 

the first bug related to named-chroot is working in selinux-policy-38.1.18-1.
To the second issue, the plesk is not supported, so I am closing this bug as WONTFIX