Bug 902431

Summary: bind-chroot creates /var/named/chroot/etc/localtime with incorrect selinux context
Product: Red Hat Enterprise Linux 6 Reporter: Karel Srot <ksrot>
Component: bindAssignee: Tomáš Hozza <thozza>
Status: CLOSED ERRATA QA Contact: qe-baseos-daemons
Severity: low Docs Contact:
Priority: medium    
Version: 6.5CC: hhorak, mgrepl, mmalik, thozza
Target Milestone: rcKeywords: Patch
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: bind-9.8.2-0.27.rc1.el6 Doc Type: Bug Fix
Doc Text:
Cause: The /var/named/chroot/etc/localtime was created during the installation of the bind-chroot package, but its SELinux context was not restored. Consequence: As a consequence, the /var/named/chroot/etc/localtime had wrong SELinux context. Fix: The command to restore the SELinux context of /var/named/chroot/etc/localtime after creation has been added into the post transaction section of the SPEC file. Result: As a result, the /var/named/chroot/etc/localtime has now the correct SELinux context after installation of bind-chroot package.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-14 04:34:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Restore SELinux context on /var/named/chroot/etc/localtime
none
Restore SELinux context on /var/named/chroot/etc/localtime none

Description Karel Srot 2013-01-21 16:37:30 UTC 
Description of problem:

Wrong selinux context is probably not causing any issues but I expect there is a reason for having the file to be locale_t.

# ls -Z /var/named/chroot/etc/localtime
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0   /var/named/chroot/etc/localtime
# matchpathcon /var/named/chroot/etc/localtime
/var/named/chroot/etc/localtime	system_u:object_r:locale_t:s0


Version-Release number of selected component (if applicable):
bind-chroot-9.8.2-0.17.rc1.el6.x86_64
selinux-policy-3.7.19-194.el6.noarch


How reproducible:
always,
install bind-chroot and check the selinux context
Comment 1 Milos Malik 2013-01-22 11:03:35 UTC 
missing restorecon ?
Comment 2 Miroslav Grepl 2013-01-22 12:47:36 UTC 
[mgrepl@rhel6 ~]$ matchpathcon /var/named/chroot/etc/localtime
/var/named/chroot/etc/localtime	system_u:object_r:locale_t:s0

[mgrepl@rhel6 ~]$ rpm -qf /var/named/chroot/etc/localtime
bind-chroot-9.8.2-0.16.rc1.el6.x86_64


It should work.Or did you create it manually?
Comment 3 Karel Srot 2013-01-22 12:58:36 UTC 
It is created by rpm postinstall script. Sorry for not mentioning it.

# rpm -q --scripts bind-chroot
postinstall scriptlet (using /bin/sh):
if [ "$1" -gt 0 ]; then
  [ -e /var/named/chroot/dev/random ] || \
    /bin/mknod /var/named/chroot/dev/random c 1 8
  [ -e /var/named/chroot/dev/zero ] || \
    /bin/mknod /var/named/chroot/dev/zero c 1 5
  [ -e /var/named/chroot/dev/null ] || \
    /bin/mknod /var/named/chroot/dev/null c 1 3
  rm -f /var/named/chroot/etc/localtime
  cp /etc/localtime /var/named/chroot/etc/localtime
  if ! grep -q '^ROOTDIR=' /etc/sysconfig/named; then
    echo 'ROOTDIR=/var/named/chroot' >> /etc/sysconfig/named
    /sbin/service named try-restart > /dev/null 2>&1 || :;
  fi
fi;
:;
preuninstall scriptlet (using /bin/sh):
if [ "$1" -eq 0 ]; then
  rm -f /var/named/chroot/dev/{random,zero,null}
  rm -f /var/named/chroot/etc/localtime
  if grep -q '^ROOTDIR=' /etc/sysconfig/named; then
    # NOTE: Do NOT call `service named try-restart` because chroot
    # files will remain mounted.
    START=no
    [ -e /var/lock/subsys/named ] && START=yes
    /sbin/service named stop > /dev/null 2>&1 || :;
    sed -i -e '/^ROOTDIR=.*/d' /etc/sysconfig/named
    if [ "x$START" = xyes ]; then
      /sbin/service named start > /dev/null 2>&1 || :;
    fi
  fi
fi
:;
posttrans scriptlet (using /bin/sh):
if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
  [ -x /sbin/restorecon ] && /sbin/restorecon /var/named/chroot/dev/* > /dev/null 2>&1;
fi;
:;
Comment 4 Tomáš Hozza 2013-04-08 12:02:38 UTC 
Created attachment 732658 [details]
Restore SELinux context on /var/named/chroot/etc/localtime
Comment 5 Tomáš Hozza 2013-04-08 12:05:24 UTC 
Created attachment 732659 [details]
Restore SELinux context on /var/named/chroot/etc/localtime
Comment 7 RHEL Program Management 2013-10-14 00:04:07 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.
Comment 15 errata-xmlrpc 2014-10-14 04:34:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1373.html