1353227 – openstack-designate AVCs when named/bind tries to read configuration out of /var/lib/designate

RDO tickets are now tracked in Jira https://issues.redhat.com/projects/RDO/issues/

Bug 1353227 - openstack-designate AVCs when named/bind tries to read configuration out of /var/lib/designate

Summary: openstack-designate AVCs when named/bind tries to read configuration out of /...

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	RDO
Classification:	Community
Component:	openstack-selinux
Sub Component:
Version:	trunk
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	trunk
Assignee:	Ryan Hallisey
QA Contact:	Ofer Blaut
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-07-06 15:00 UTC by David Moreau Simard
Modified:	2017-04-19 20:36 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-04-19 20:36:25 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
avc.txt (759 bytes, text/plain) 2016-07-06 15:00 UTC, David Moreau Simard	no flags	Details
reproducer.sh (1.37 KB, text/plain) 2016-07-06 15:01 UTC, David Moreau Simard	no flags	Details
View All

Description David Moreau Simard 2016-07-06 15:00:46 UTC

Created attachment 1176928 [details]
avc.txt

With selinux enabled, and designate with the bind9 backend installed through puppet-designate, the following AVCs are fired when named is reloaded with configuration that includes files from /var/lib/designate.
In /etc/named.conf, we add the line:
include /var/lib/designate/bind9/zones.config;

AVCs and reproducer script in attachment (assumes to be running on an ephemeral centos7-minimal installation, it will install on localhost).

[root@n48 ~]# ls -alZ /var/lib/designate/
drwxr-xr-x. designate designate system_u:object_r:var_lib_t:s0   .
drwxr-xr-x. root      root      system_u:object_r:var_lib_t:s0   ..
drwxrwx---. named     named     system_u:object_r:var_lib_t:s0   bind9
[root@n48 ~]# restorecon -Rv /var/lib/designate/
[root@n48 ~]# ls -alZ /var/lib/designate/
drwxr-xr-x. designate designate system_u:object_r:var_lib_t:s0   .
drwxr-xr-x. root      root      system_u:object_r:var_lib_t:s0   ..
drwxrwx---. named     named     system_u:object_r:var_lib_t:s0   bind9

Comment 1 David Moreau Simard 2016-07-06 15:01:23 UTC

Created attachment 1176929 [details]
reproducer.sh

Comment 2 Lon Hohberger 2017-02-17 15:32:04 UTC

Looks like these should be named_zone_t.

+	fcontext -N -a -t named_zone_t \"$SHAREDSTATEDIR/designate/bind9(/.*)?\"

Comment 3 Lon Hohberger 2017-02-17 15:33:31 UTC

https://github.com/redhat-openstack/openstack-selinux/commit/8bd08846f8777ba6b80561f010b5e80da04d5473

Note You need to log in before you can comment on or make changes to this bug.