Bug 965970
Summary: | Chowning /var/named with -R causes AVC denials upon named start and stop | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Jan Pazdziora <jpazdziora> |
Component: | Documentation | Assignee: | Alex Dellapenta <adellape> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | ecs-bugs |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 1.2.0 | CC: | adellape, bleanhar, jdetiber, jokerman, jpazdziora, libra-onpremise-devel, mmccomas |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-06-11 20:47:08 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jan Pazdziora
2013-05-22 08:02:56 UTC
The problem seems to be that you are changing the owner of /var/named recursively. Owner of /var/named and some files in it should be "root". # rpm -V bind S.5....T. c /etc/named.conf .....U... /var/named .....U... c /var/named/named.ca .....U... c /var/named/named.empty .....U... c /var/named/named.localhost .....U... c /var/named/named.loopback So you should change only group using 'chgrp' or set owner:group only to the file you created. If you don't mind I would like to close this Bug as NOTABUG. (In reply to Tomas Hozza from comment #1) > The problem seems to be that you are changing the owner of /var/named > recursively. Owner of /var/named and some files in it should be "root". > > # rpm -V bind > S.5....T. c /etc/named.conf > .....U... /var/named > .....U... c /var/named/named.ca > .....U... c /var/named/named.empty > .....U... c /var/named/named.localhost > .....U... c /var/named/named.loopback > > So you should change only group using 'chgrp' or set owner:group only to > the file you created. Thank you very much for the investigation, Tomáš. > If you don't mind I would like to close this Bug as NOTABUG. Actually, what I will do is move the bug to the OpenShift Enterprise product. It looks like https://raw.github.com/openshift/openshift-extras/enterprise-1.2/enterprise/install-scripts/generic/openshift.sh shouldn't chown named:named -R /var/named the whole directory. Could the script be amended? Fix has been merged for openshift-extras (install scripts) https://github.com/openshift/puppet-openshift_origin/pull/64 submitted for puppet module. (In reply to Jason DeTiberus from comment #5) > Fix has been merged for openshift-extras (install scripts) I confirm that the fix 61a3ffd938e0097af79e815de9b3b1b4d5bf5672 addressed the AVC issue. Thanks! Should I mark the bugzilla VERIFIED? (In reply to Jan Pazdziora from comment #6) > (In reply to Jason DeTiberus from comment #5) > > Fix has been merged for openshift-extras (install scripts) > > I confirm that the fix 61a3ffd938e0097af79e815de9b3b1b4d5bf5672 addressed > the AVC issue. Thanks! > > Should I mark the bugzilla VERIFIED? I would wait until after the puppet changes are merged, since it fixes the same behavior. Can you check if this is referencing in our product documentation? If so, we'll need to update it. https://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/1/html/Deployment_Guide/sect-OpenShift_Enterprise-Deployment_Guide-Configuring_BIND_and_DNS-Configuring_Sub_domain_Hostname_Resolution.html Procedure 5.4 Step 2 needs to be updated as follows: >chown -Rv named:named /var/named Should be changed to: >chgrp named -R /var/named >chown named -R /var/named/dynamic Alex, can you track this for the 1.2 documentation release? (In reply to Brenton Leanhardt from comment #10) > Alex, can you track this for the 1.2 documentation release? Will do. |