Bug 602992 - SELinux is preventing /usr/sbin/named "write" access on named.
Summary: SELinux is preventing /usr/sbin/named "write" access on named.
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy   
(Show other bugs)
Version: 12
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
Whiteboard: setroubleshoot_trace_hash:e0dccd9b769...
Keywords: Reopened
: 602994 602996 602999 603109 609470 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2010-06-11 08:23 UTC by Mijax
Modified: 2010-07-04 22:01 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-06-16 14:47:17 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Mijax 2010-06-11 08:23:56 UTC

SELinux is preventing /usr/sbin/named "write" access on named.

Detailed Description:

SELinux denied access requested by named. It is not expected that this access is
required by named and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug

Additional Information:

Source Context                system_u:system_r:named_t:s0
Target Context                unconfined_u:object_r:default_t:s0
Target Objects                named [ dir ]
Source                        named
Source Path                   /usr/sbin/named
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           bind-9.6.2-4.P2.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-116.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux Hossein.Laptop.F
                              #1 SMP Fri Apr 30 20:14:08 UTC 2010 i686 athlon
Alert Count                   2
First Seen                    Fri 11 Jun 2010 12:18:05 AM IRDT
Last Seen                     Fri 11 Jun 2010 12:18:05 AM IRDT
Local ID                      4ae38806-76a0-4715-8e5d-e519280b5bf4
Line Numbers                  

Raw Audit Messages            

node=Hossein.Laptop.F type=AVC msg=audit(1276199285.452:10): avc:  denied  { write } for  pid=1740 comm="named" name="named" dev=sda5 ino=1572874 scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=dir

node=Hossein.Laptop.F type=SYSCALL msg=audit(1276199285.452:10): arch=40000003 syscall=5 success=no exit=-13 a0=c9e105 a1=c1 a2=1a4 a3=c9e105 items=0 ppid=1737 pid=1740 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null)

Hash String generated from  catchall,named,named_t,default_t,dir,write
audit2allow suggests:

#============= named_t ==============
#!!!! The source type 'named_t' can write to a 'dir' of the following types:
# named_var_run_t, tmp_t, named_cache_t, var_run_t, named_tmp_t, var_log_t, named_log_t, root_t

allow named_t default_t:dir write;

Comment 1 Miroslav Grepl 2010-06-11 12:23:26 UTC
*** Bug 602994 has been marked as a duplicate of this bug. ***

Comment 2 Miroslav Grepl 2010-06-11 12:23:41 UTC
*** Bug 602996 has been marked as a duplicate of this bug. ***

Comment 3 Miroslav Grepl 2010-06-11 12:24:07 UTC
*** Bug 602999 has been marked as a duplicate of this bug. ***

Comment 4 Miroslav Grepl 2010-06-11 12:25:57 UTC
Try to execute

# restorecon -R -v /var/named

Comment 5 Mijax 2010-06-11 14:47:14 UTC
After executing, is shown new alert, see:

Comment 6 Daniel Walsh 2010-06-11 14:50:32 UTC
Did you move named directory to a different location?

Comment 7 Daniel Walsh 2010-06-11 14:53:22 UTC
*** Bug 603109 has been marked as a duplicate of this bug. ***

Comment 8 Mijax 2010-06-11 15:01:57 UTC
No, I did not move any thing but i instead of executing:
# restorecon -R -v /var/named
# restorecon -R -v /chroot/named/var/named/

Because i run BIND DNS in chroot jail and there is not /var/named directroy.

Comment 9 Daniel Walsh 2010-06-11 15:37:56 UTC
Yes that means you changed the default.

You need to do the following commands

# semanage fcontext -a -t var_t '/chroot(/.*)?'
# semanage fcontext -a -e /var/named /chroot/named/var/named
# restorecon -R -v /choot

This will tell SELinux to label everything under /chroot as var_t
and everything under /chroot/named/var/named as if it was under /var/named.

Comment 10 Mijax 2010-06-11 20:31:04 UTC
I executed them but alert 2 new alarms:
SELinux is preventing /usr/sbin/named "read" access on
SELinux is preventing /usr/sbin/named "write" access on

If need, I send Detailed Description and other informations that alerts show.

Comment 11 Miroslav Grepl 2010-06-14 09:05:24 UTC
Actually I think you need

# semanage fcontext -d -e /var/named /chroot/named/var/named
# semanage fcontext -a -e /var/named/chroot /chroot/named
# restorecon -R -v /chroot

Comment 12 Mijax 2010-06-14 21:32:14 UTC
OK. After executing your commands, Miroslav Grepl, named service ran successfully but after rebooting shown a SELinux alert.

For repairing it, i run:

setsebool -P named_write_master_zones=1

And Now all thing is OK.

Thanks all.

Comment 13 Miroslav Grepl 2010-07-04 22:01:57 UTC
*** Bug 609470 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.