Bug 602992

Summary: SELinux is preventing /usr/sbin/named "write" access on named.
Product: [Fedora] Fedora Reporter: Mijax <mijax.mijax>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: dwalsh, mgrepl, mijax.mijax
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:e0dccd9b769d11bb5f03f91e06aa9f91d01490fbaf818b66733d7c8b3cc1950c
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-06-16 14:47:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mijax 2010-06-11 08:23:56 UTC 
Summary:

SELinux is preventing /usr/sbin/named "write" access on named.

Detailed Description:

SELinux denied access requested by named. It is not expected that this access is
required by named and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:named_t:s0
Target Context                unconfined_u:object_r:default_t:s0
Target Objects                named [ dir ]
Source                        named
Source Path                   /usr/sbin/named
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           bind-9.6.2-4.P2.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-116.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux Hossein.Laptop.F 2.6.32.12-115.fc12.i686.PAE
                              #1 SMP Fri Apr 30 20:14:08 UTC 2010 i686 athlon
Alert Count                   2
First Seen                    Fri 11 Jun 2010 12:18:05 AM IRDT
Last Seen                     Fri 11 Jun 2010 12:18:05 AM IRDT
Local ID                      4ae38806-76a0-4715-8e5d-e519280b5bf4
Line Numbers                  

Raw Audit Messages            

node=Hossein.Laptop.F type=AVC msg=audit(1276199285.452:10): avc:  denied  { write } for  pid=1740 comm="named" name="named" dev=sda5 ino=1572874 scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=dir

node=Hossein.Laptop.F type=SYSCALL msg=audit(1276199285.452:10): arch=40000003 syscall=5 success=no exit=-13 a0=c9e105 a1=c1 a2=1a4 a3=c9e105 items=0 ppid=1737 pid=1740 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null)



Hash String generated from  catchall,named,named_t,default_t,dir,write
audit2allow suggests:

#============= named_t ==============
#!!!! The source type 'named_t' can write to a 'dir' of the following types:
# named_var_run_t, tmp_t, named_cache_t, var_run_t, named_tmp_t, var_log_t, named_log_t, root_t

allow named_t default_t:dir write;
Comment 1 Miroslav Grepl 2010-06-11 12:23:26 UTC 
*** Bug 602994 has been marked as a duplicate of this bug. ***
Comment 2 Miroslav Grepl 2010-06-11 12:23:41 UTC 
*** Bug 602996 has been marked as a duplicate of this bug. ***
Comment 3 Miroslav Grepl 2010-06-11 12:24:07 UTC 
*** Bug 602999 has been marked as a duplicate of this bug. ***
Comment 4 Miroslav Grepl 2010-06-11 12:25:57 UTC 
Try to execute

# restorecon -R -v /var/named
Comment 5 Mijax 2010-06-11 14:47:14 UTC 
After executing, is shown new alert, see:
https://bugzilla.redhat.com/show_bug.cgi?id=603109
Comment 6 Daniel Walsh 2010-06-11 14:50:32 UTC 
Did you move named directory to a different location?
Comment 7 Daniel Walsh 2010-06-11 14:53:22 UTC 
*** Bug 603109 has been marked as a duplicate of this bug. ***
Comment 8 Mijax 2010-06-11 15:01:57 UTC 
No, I did not move any thing but i instead of executing:
# restorecon -R -v /var/named
executed:
# restorecon -R -v /chroot/named/var/named/

Because i run BIND DNS in chroot jail and there is not /var/named directroy.
Comment 9 Daniel Walsh 2010-06-11 15:37:56 UTC 
Yes that means you changed the default.

You need to do the following commands

# semanage fcontext -a -t var_t '/chroot(/.*)?'
# semanage fcontext -a -e /var/named /chroot/named/var/named
# restorecon -R -v /choot

This will tell SELinux to label everything under /chroot as var_t
and everything under /chroot/named/var/named as if it was under /var/named.
Comment 10 Mijax 2010-06-11 20:31:04 UTC 
I executed them but alert 2 new alarms:
SELinux is preventing /usr/sbin/named "read" access on
/chroot/named/etc/rndc.key.
&
SELinux is preventing /usr/sbin/named "write" access on
/chroot/named/var/run/named.

If need, I send Detailed Description and other informations that alerts show.
Comment 11 Miroslav Grepl 2010-06-14 09:05:24 UTC 
Actually I think you need

# semanage fcontext -d -e /var/named /chroot/named/var/named
# semanage fcontext -a -e /var/named/chroot /chroot/named
# restorecon -R -v /chroot
Comment 12 Mijax 2010-06-14 21:32:14 UTC 
OK. After executing your commands, Miroslav Grepl, named service ran successfully but after rebooting shown a SELinux alert.

For repairing it, i run:

setsebool -P named_write_master_zones=1

And Now all thing is OK.

Thanks all.
Comment 13 Miroslav Grepl 2010-07-04 22:01:57 UTC 
*** Bug 609470 has been marked as a duplicate of this bug. ***