Bug 1308897 - Wrong SELinux context of /dev/{random,null,zero} in bind chroot directory /var/named/chroot
Summary: Wrong SELinux context of /dev/{random,null,zero} in bind chroot directory /va...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: bind
Version: 6.8
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: rc
: ---
Assignee: Tomáš Hozza
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-02-16 11:58 UTC by Petr Sklenar
Modified: 2016-08-16 11:00 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-08-16 11:00:59 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Petr Sklenar 2016-02-16 11:58:13 UTC 
Description of problem:
there is avc on /var/named/chroot/dev/random

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-287.el6.noarch
bind-9.8.2-0.46.rc1.el6.x86_64

latest rhel68
How reproducible:
I could see such an avc on one machine

Steps to Reproduce:
0. no idea
1. I installed bind and do some testing but I am not sure what was the cause
but I could see this avc on some machine

logs:

[0 root@qeos-17 tmp]# cat /var/log/audit/audit.log | grep avc
type=AVC msg=audit(1455617346.768:268): avc:  denied  { getattr } for  pid=2363 comm="named-sdb" path="/dev/random" dev=vda1 ino=264344 scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file

[0 root@qeos-17 tmp]# find / -mount -inum 264344
/var/named/chroot/dev/random
find: File system loop detected; `/var/named/chroot/var/named' is part of the same file system loop as `/var/named'.

[0 root@qeos-17 tmp]# ls -laZ /var/named/chroot/dev/random
crw-r--r--. root root unconfined_u:object_r:random_device_t:s0 /var/named/chroot/dev/ran

Actual results:
type=AVC msg=audit(1455617346.768:268): avc:  denied  { getattr } for  pid=2363 comm="named-sdb" path="/dev/random" dev=vda1 ino=264344 scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_f

Expected results:
no avc

Additional info:
Comment 2 Milos Malik 2016-02-16 12:12:57 UTC 
At least one of the random devices is mislabeled:

# restorecon -v /dev/random /var/named/chroot/dev/random
Comment 3 Miroslav Grepl 2016-02-18 11:10:40 UTC 
How is it labeled now? BIND should fix labeling.
Comment 4 Tomáš Hozza 2016-02-22 13:27:23 UTC 
[0 root@qeos-37 dev]# ls -lZ
crw-r--r--. root root unconfined_u:object_r:null_device_t:s0 null
crw-r--r--. root root unconfined_u:object_r:random_device_t:s0 random
crw-r--r--. root root unconfined_u:object_r:zero_device_t:s0 zero
[0 root@qeos-37 dev]# restorecon -v /dev/random /var/named/chroot/dev/random
[0 root@qeos-37 dev]# ls -lZ /dev/random 
crw-rw-rw-. root root system_u:object_r:random_device_t:s0 /dev/random
Comment 5 Tomáš Hozza 2016-02-23 11:32:56 UTC 
I checked bind package and it restores the context on all the /dev/* files inside the /var/named/chroot/.

%posttrans chroot
if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
  [ -x /sbin/restorecon ] && /sbin/restorecon %{chroot_prefix}/dev/* > /dev/null 2>&1 \
  && /sbin/restorecon %{chroot_prefix}/etc/localtime > /dev/null 2>&1;
fi;

It seems that restorecon is not able to reset the context without using -F (force). Miroslav, do you know what may be the issue?

I checked and the same issue is also in Fedora and RHEL-7.

This is the output from RHEL-7:
[0 root@qeos-38 test]# ls -lZ /var/named/chroot/dev/{zero,null,random}
crw-r--r--. root root unconfined_u:object_r:null_device_t:s0 /var/named/chroot/dev/null
crw-r--r--. root root unconfined_u:object_r:random_device_t:s0 /var/named/chroot/dev/random
crw-r--r--. root root unconfined_u:object_r:zero_device_t:s0 /var/named/chroot/dev/zero
[0 root@qeos-38 test]# matchpathcon /var/named/chroot/dev/{zero,null,random}
/var/named/chroot/dev/zero	system_u:object_r:zero_device_t:s0
/var/named/chroot/dev/null	system_u:object_r:null_device_t:s0
/var/named/chroot/dev/random	system_u:object_r:random_device_t:s0
[0 root@qeos-38 test]# restorecon -v /var/named/chroot/dev/{zero,null,random}
[0 root@qeos-38 test]# restorecon -vF /var/named/chroot/dev/{zero,null,random}
restorecon reset /var/named/chroot/dev/zero context unconfined_u:object_r:zero_device_t:s0->system_u:object_r:zero_device_t:s0
restorecon reset /var/named/chroot/dev/null context unconfined_u:object_r:null_device_t:s0->system_u:object_r:null_device_t:s0
restorecon reset /var/named/chroot/dev/random context unconfined_u:object_r:random_device_t:s0->system_u:object_r:random_device_t:s0
[0 root@qeos-38 test]# ls -lZ /var/named/chroot/dev/{zero,null,random}
crw-r--r--. root root system_u:object_r:null_device_t:s0 /var/named/chroot/dev/null
crw-r--r--. root root system_u:object_r:random_device_t:s0 /var/named/chroot/dev/random
crw-r--r--. root root system_u:object_r:zero_device_t:s0 /var/named/chroot/dev/zero
Comment 6 Miroslav Grepl 2016-02-23 12:23:51 UTC 
Well it looks there is a correct labeling.

crw-r--r--. root root unconfined_u:object_r:null_device_t:s0 /var/named/chroot/dev/null
crw-r--r--. root root unconfined_u:object_r:random_device_t:s0 /var/named/chroot



We care about null_device_t and random_device_t here. 

Petr,
have you had disabled SELinux?
Comment 10 Petr Sklenar 2016-08-16 11:00:59 UTC 
it seems it was some wrong usage during testing, now I can see no such an issue + automation does not report any avc denial
Note You need to log in before you can comment on or make changes to this bug.