1079636 – Enforcing selinux-policy-targeted prevents named-chroot.service from functioning

Bug 1079636 - Enforcing selinux-policy-targeted prevents named-chroot.service from functioning

Summary: Enforcing selinux-policy-targeted prevents named-chroot.service from functioning

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	19
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-03-22 11:15 UTC by Jari Turkia
Modified:	2014-12-19 18:29 UTC (History)
CC List:	1 user (show)
Fixed In Version:	selinux-policy-3.12.1-74.30.fc19
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-12-19 18:29:37 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jari Turkia 2014-03-22 11:15:32 UTC

Description of problem:
Enforcing selinux-policy-targeted has incorrect permissions for chrooted named service preventing it's write access to chrooted tmpfs


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.12.1-74.19.fc19.noarch
bind-9.9.3-15.P2.fc19.x86_64
bind-chroot-9.9.3-15.P2.fc19.x86_64


How reproducible:
Easy. Upgrade to latest packages and named-chroot.service fails to start.


Steps to Reproduce:
1. yum update
2. systemctl status named-chroot.service --full
   Active: failed (Result: timeout)

Actual results:
Non-functional name server

Expected results:
Functional name server

Additional info:
It is possible to fix the issue by overriding the policy file with following two commands:
# semanage fcontext -a -t var_run_t "/var/named/chroot/run(/.*)?"
# restorecon -R -v /var/named/chroot/run/named

Comment 1 Jari Turkia 2014-03-22 17:23:13 UTC

The problem is in /etc/selinux/targeted/contexts/files/file_contexts in the line
/var/named/chroot/var/run/named.*       system_u:object_r:named_var_run_t:s0

In fact the given directory is incorrect, correct one is /var/named/chroot/run/named/ and it has two files in it:
-rw-r--r--. 1 named named   5 Mar 22 12:02 named.pid
-rw-------. 1 named named 102 Mar 22 12:02 session.key

Even if, the directory would be correct, the session.key file would not be matched.

Comment 2 Daniel Walsh 2014-03-24 17:11:26 UTC

commit 22f659ea66563d960048298c8b24536c86859243
 fixes this in git.

Comment 3 Fedora Update System 2014-08-13 12:02:43 UTC

selinux-policy-3.12.1-74.29.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.29.fc19

Comment 4 Fedora Update System 2014-08-16 00:27:11 UTC

Package selinux-policy-3.12.1-74.29.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.29.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-9432/selinux-policy-3.12.1-74.29.fc19
then log in and leave karma (feedback).

Comment 5 Fedora Update System 2014-12-03 12:53:33 UTC

selinux-policy-3.12.1-74.30.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.30.fc19

Comment 6 Fedora Update System 2014-12-19 18:29:37 UTC

selinux-policy-3.12.1-74.30.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.