Bug 1066333 - /usr/sbin/named needs write access to the directory /var/named/dyndb-ldap
Summary: /usr/sbin/named needs write access to the directory /var/named/dyndb-ldap
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 20
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-02-18 09:18 UTC by Petr Spacek
Modified: 2014-02-20 14:44 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-02-20 14:44:55 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Petr Spacek 2014-02-18 09:18:45 UTC
Description of problem:
BIND with bind-dyndb-ldap plugin needs write access to /var/named/dyndb-ldap directory.

Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-119.fc20.noarch

How reproducible:
100 %

Steps to Reproduce:
1. Install bind with bind-dyndb-ldap build from https://github.com/spacekpe/bind-dyndb-ldap.git
2. Run named

Actual results:
SELinux is preventing /usr/sbin/named from write access on the directory dyndb-ldap.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow named to write master zones
Then you must tell SELinux about this by enabling the 'named_write_master_zones' boolean.
You can read 'None' man page for more details.
Do
setsebool -P named_write_master_zones 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that named should be allowed write access on the dyndb-ldap directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep named /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Expected results:
Write access is allowed.

Additional info:
It could be a new boolean but in that case we need means to enable such boolean during bind-dyndb-ldap package installation. I don't know if enabling named_write_master_zones boolean is okay, it is more generic. We need access only to sub-dir, but I don't insist on new boolean.

Please guide me.

Thank you!

Comment 1 Miroslav Grepl 2014-02-18 11:03:34 UTC
Could you attach AVC info?

Comment 2 Tomáš Hozza 2014-02-18 12:35:51 UTC
# grep named /var/log/audit/audit.log
type=AVC msg=audit(1392726885.485:256): avc:  denied  { write } for  pid=6943 comm="named" name="dyndb-ldap" dev="dm-1" ino=32655 scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:named_zone_t:s0 tclass=dir
type=SYSCALL msg=audit(1392726885.485:256): arch=c000003e syscall=83 success=no exit=-13 a0=7fbbea048f50 a1=1c0 a2=fe0 a3=fe items=0 ppid=6939 pid=6943 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 ses=4294967295 tty=(none) comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null)
type=SERVICE_START msg=audit(1392726885.491:257): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg=' comm="named" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'

If you need any other information just tell me what to do.

Thanks!

Comment 3 Petr Spacek 2014-02-19 14:38:57 UTC
Miroslav, do you need something else? We would like to see new policy as soon as possible because it blocks us from releasing new bind-dyndb-ldap package to Fedora. Thank you!

Comment 4 Miroslav Grepl 2014-02-20 14:21:15 UTC
Either

# chcon -R -t named_cache_t /var/named/dyndb-ldap

or you can activate the boolean in the scriptlet.

Comment 5 Petr Spacek 2014-02-20 14:44:55 UTC
Okay, I will activate named_write_master_zones. Thank you for your help!


Note You need to log in before you can comment on or make changes to this bug.