Description of problem: Enforcing selinux-policy-targeted has incorrect permissions for chrooted named service preventing it's write access to chrooted tmpfs Version-Release number of selected component (if applicable): selinux-policy-targeted-3.12.1-74.19.fc19.noarch bind-9.9.3-15.P2.fc19.x86_64 bind-chroot-9.9.3-15.P2.fc19.x86_64 How reproducible: Easy. Upgrade to latest packages and named-chroot.service fails to start. Steps to Reproduce: 1. yum update 2. systemctl status named-chroot.service --full Active: failed (Result: timeout) Actual results: Non-functional name server Expected results: Functional name server Additional info: It is possible to fix the issue by overriding the policy file with following two commands: # semanage fcontext -a -t var_run_t "/var/named/chroot/run(/.*)?" # restorecon -R -v /var/named/chroot/run/named
The problem is in /etc/selinux/targeted/contexts/files/file_contexts in the line /var/named/chroot/var/run/named.* system_u:object_r:named_var_run_t:s0 In fact the given directory is incorrect, correct one is /var/named/chroot/run/named/ and it has two files in it: -rw-r--r--. 1 named named 5 Mar 22 12:02 named.pid -rw-------. 1 named named 102 Mar 22 12:02 session.key Even if, the directory would be correct, the session.key file would not be matched.
commit 22f659ea66563d960048298c8b24536c86859243 fixes this in git.
selinux-policy-3.12.1-74.29.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.29.fc19
Package selinux-policy-3.12.1-74.29.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.29.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-9432/selinux-policy-3.12.1-74.29.fc19 then log in and leave karma (feedback).
selinux-policy-3.12.1-74.30.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.30.fc19
selinux-policy-3.12.1-74.30.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.