Bug 1079636 - Enforcing selinux-policy-targeted prevents named-chroot.service from functioning
Summary: Enforcing selinux-policy-targeted prevents named-chroot.service from functioning
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 19
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2014-03-22 11:15 UTC by Jari Turkia
Modified: 2014-12-19 18:29 UTC (History)
1 user (show)

Fixed In Version: selinux-policy-3.12.1-74.30.fc19
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-12-19 18:29:37 UTC
Type: Bug

Attachments (Terms of Use)

Description Jari Turkia 2014-03-22 11:15:32 UTC
Description of problem:
Enforcing selinux-policy-targeted has incorrect permissions for chrooted named service preventing it's write access to chrooted tmpfs

Version-Release number of selected component (if applicable):

How reproducible:
Easy. Upgrade to latest packages and named-chroot.service fails to start.

Steps to Reproduce:
1. yum update
2. systemctl status named-chroot.service --full
   Active: failed (Result: timeout)

Actual results:
Non-functional name server

Expected results:
Functional name server

Additional info:
It is possible to fix the issue by overriding the policy file with following two commands:
# semanage fcontext -a -t var_run_t "/var/named/chroot/run(/.*)?"
# restorecon -R -v /var/named/chroot/run/named

Comment 1 Jari Turkia 2014-03-22 17:23:13 UTC
The problem is in /etc/selinux/targeted/contexts/files/file_contexts in the line
/var/named/chroot/var/run/named.*       system_u:object_r:named_var_run_t:s0

In fact the given directory is incorrect, correct one is /var/named/chroot/run/named/ and it has two files in it:
-rw-r--r--. 1 named named   5 Mar 22 12:02 named.pid
-rw-------. 1 named named 102 Mar 22 12:02 session.key

Even if, the directory would be correct, the session.key file would not be matched.

Comment 2 Daniel Walsh 2014-03-24 17:11:26 UTC
commit 22f659ea66563d960048298c8b24536c86859243
 fixes this in git.

Comment 3 Fedora Update System 2014-08-13 12:02:43 UTC
selinux-policy-3.12.1-74.29.fc19 has been submitted as an update for Fedora 19.

Comment 4 Fedora Update System 2014-08-16 00:27:11 UTC
Package selinux-policy-3.12.1-74.29.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.29.fc19'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 5 Fedora Update System 2014-12-03 12:53:33 UTC
selinux-policy-3.12.1-74.30.fc19 has been submitted as an update for Fedora 19.

Comment 6 Fedora Update System 2014-12-19 18:29:37 UTC
selinux-policy-3.12.1-74.30.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.