Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 602992 - SELinux is preventing /usr/sbin/named "write" access on named.
SELinux is preventing /usr/sbin/named "write" access on named.
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
12
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:e0dccd9b769...
: Reopened
: 602994 602996 602999 603109 609470 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-11 04:23 EDT by Mijax
Modified: 2010-07-04 18:01 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-06-16 10:47:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mijax 2010-06-11 04:23:56 EDT
Summary:

SELinux is preventing /usr/sbin/named "write" access on named.

Detailed Description:

SELinux denied access requested by named. It is not expected that this access is
required by named and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:named_t:s0
Target Context                unconfined_u:object_r:default_t:s0
Target Objects                named [ dir ]
Source                        named
Source Path                   /usr/sbin/named
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           bind-9.6.2-4.P2.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-116.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux Hossein.Laptop.F 2.6.32.12-115.fc12.i686.PAE
                              #1 SMP Fri Apr 30 20:14:08 UTC 2010 i686 athlon
Alert Count                   2
First Seen                    Fri 11 Jun 2010 12:18:05 AM IRDT
Last Seen                     Fri 11 Jun 2010 12:18:05 AM IRDT
Local ID                      4ae38806-76a0-4715-8e5d-e519280b5bf4
Line Numbers                  

Raw Audit Messages            

node=Hossein.Laptop.F type=AVC msg=audit(1276199285.452:10): avc:  denied  { write } for  pid=1740 comm="named" name="named" dev=sda5 ino=1572874 scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=dir

node=Hossein.Laptop.F type=SYSCALL msg=audit(1276199285.452:10): arch=40000003 syscall=5 success=no exit=-13 a0=c9e105 a1=c1 a2=1a4 a3=c9e105 items=0 ppid=1737 pid=1740 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null)



Hash String generated from  catchall,named,named_t,default_t,dir,write
audit2allow suggests:

#============= named_t ==============
#!!!! The source type 'named_t' can write to a 'dir' of the following types:
# named_var_run_t, tmp_t, named_cache_t, var_run_t, named_tmp_t, var_log_t, named_log_t, root_t

allow named_t default_t:dir write;
Comment 1 Miroslav Grepl 2010-06-11 08:23:26 EDT
*** Bug 602994 has been marked as a duplicate of this bug. ***
Comment 2 Miroslav Grepl 2010-06-11 08:23:41 EDT
*** Bug 602996 has been marked as a duplicate of this bug. ***
Comment 3 Miroslav Grepl 2010-06-11 08:24:07 EDT
*** Bug 602999 has been marked as a duplicate of this bug. ***
Comment 4 Miroslav Grepl 2010-06-11 08:25:57 EDT
Try to execute

# restorecon -R -v /var/named
Comment 5 Mijax 2010-06-11 10:47:14 EDT
After executing, is shown new alert, see:
https://bugzilla.redhat.com/show_bug.cgi?id=603109
Comment 6 Daniel Walsh 2010-06-11 10:50:32 EDT
Did you move named directory to a different location?
Comment 7 Daniel Walsh 2010-06-11 10:53:22 EDT
*** Bug 603109 has been marked as a duplicate of this bug. ***
Comment 8 Mijax 2010-06-11 11:01:57 EDT
No, I did not move any thing but i instead of executing:
# restorecon -R -v /var/named
executed:
# restorecon -R -v /chroot/named/var/named/

Because i run BIND DNS in chroot jail and there is not /var/named directroy.
Comment 9 Daniel Walsh 2010-06-11 11:37:56 EDT
Yes that means you changed the default.

You need to do the following commands

# semanage fcontext -a -t var_t '/chroot(/.*)?'
# semanage fcontext -a -e /var/named /chroot/named/var/named
# restorecon -R -v /choot

This will tell SELinux to label everything under /chroot as var_t
and everything under /chroot/named/var/named as if it was under /var/named.
Comment 10 Mijax 2010-06-11 16:31:04 EDT
I executed them but alert 2 new alarms:
SELinux is preventing /usr/sbin/named "read" access on
/chroot/named/etc/rndc.key.
&
SELinux is preventing /usr/sbin/named "write" access on
/chroot/named/var/run/named.

If need, I send Detailed Description and other informations that alerts show.
Comment 11 Miroslav Grepl 2010-06-14 05:05:24 EDT
Actually I think you need

# semanage fcontext -d -e /var/named /chroot/named/var/named
# semanage fcontext -a -e /var/named/chroot /chroot/named
# restorecon -R -v /chroot
Comment 12 Mijax 2010-06-14 17:32:14 EDT
OK. After executing your commands, Miroslav Grepl, named service ran successfully but after rebooting shown a SELinux alert.

For repairing it, i run:

setsebool -P named_write_master_zones=1

And Now all thing is OK.

Thanks all.
Comment 13 Miroslav Grepl 2010-07-04 18:01:57 EDT
*** Bug 609470 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.