Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1572647

Summary: BIND is not able to write into home
Product: Red Hat Enterprise Linux 7 Reporter: Petr Menšík <pemensik>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED WONTFIX QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: medium    
Version: 7.6CC: dmoppert, lvrabec, mgrepl, mmalik, pemensik, pkis, plautrba, psklenar, ssekidde, szidek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1574003 1633158 (view as bug list) Environment:
Last Closed: 2019-02-28 10:01:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1315821, 1452091, 1569466, 1574003, 1633158, 1653106    

Description Petr Menšík 2018-04-27 13:55:07 UTC 
Description of problem:
/var/named is not writeable unless named_write_master_zones is set. /var/named should have type named_cache_t instead of named_zone_t.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-192.el7.noarch

Additional info:

Traditionally our configuration did not allow bind writing into default home /var/named. This is protected also by selinux policy. Special subdirectories for writing are created: /var/named/{data,dynamic,slaves}.

Policy allows named_exec_t binary (named) to write only to named_cache_t. Writing to named_zone_t is possible only when setsetbool named_write_master_zones on is called.

For some reason this is already automatically exploited by bind-dyndb-ldap package, which sets named_write_master_zones on installation and disables on uninstallation. I think this requires /var/named/dyndb-ldap to be named_cache_t instead.

It is common to maintain DNSSEC signatures also in master zones from BIND. Static zones that are never modified by daemon are no longer dominant. I think writeable /var/named should be enabled by default. In that case named_write_master_zones would be obsolete and named_cache_t should be used instead of named_zone_t for whole /var/named, where named_zone_t were used before.

It block simple solution of bug #1315821, bug #1452091 and bug #1569466.

[1] https://bugs.isc.org/Public/Bug/Display.html?id=46242
Comment 2 Petr Menšík 2018-04-27 14:09:38 UTC 
I think it would be sufficient to leave protection of non-writeable zones to unix rights. Because dac_override is not granted, it should be secure enough. Product security agreed with that.
Comment 3 Petr Menšík 2018-05-21 14:13:09 UTC 
Could be default of sebool named_write_master_zones changed to on still in rhel-7.6? I have blocked three bugs on this change.
Comment 5 Lukas Vrabec 2018-07-18 11:17:46 UTC 
*** Bug 1599705 has been marked as a duplicate of this bug. ***
Comment 6 Lukas Vrabec 2018-08-20 18:27:25 UTC 
*** Bug 1615453 has been marked as a duplicate of this bug. ***
Comment 7 Petr Menšík 2018-09-26 10:11:08 UTC 
We have discussed this issue after discovery of some flaws of post install boolean setting. We agreed it would stay using boolean in RHEL7, because it is difficult to get back to default value once it was ever changed. It is not possible to detect whether it was changed by the rpm or a system administrator. Until that changes it is not possible to rely on default settings on upgrades.

Default would be changed on RHEL8.