Bug 609470 - SELinux is preventing /usr/sbin/named "read" access on db.cache.
Summary: SELinux is preventing /usr/sbin/named "read" access on db.cache.
Status: CLOSED DUPLICATE of bug 602992
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy   
(Show other bugs)
Version: 12
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
Whiteboard: setroubleshoot_trace_hash:03d4dfaa016...
Depends On:
TreeView+ depends on / blocked
Reported: 2010-06-30 11:37 UTC by Mijax
Modified: 2010-07-11 07:16 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-07-04 22:01:57 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Mijax 2010-06-30 11:37:18 UTC

SELinux is preventing /usr/sbin/named "read" access on db.cache.

Detailed Description:

SELinux denied access requested by named. It is not expected that this access is
required by named and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug

Additional Information:

Source Context                system_u:system_r:named_t:s0
Target Context                system_u:object_r:var_t:s0
Target Objects                db.cache [ file ]
Source                        named
Source Path                   /usr/sbin/named
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           bind-9.6.2-5.P2.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-118.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                     #1 SMP Fri May 28
                              04:30:39 UTC 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Wed 30 Jun 2010 04:05:06 PM IRDT
Last Seen                     Wed 30 Jun 2010 04:05:06 PM IRDT
Local ID                      8474d2d8-afec-42b8-b680-7bdd86c0f5bd
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1277897706.682:6): avc:  denied  { read } for  pid=1378 comm="named" name="db.cache" dev=sda1 ino=263889 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1277897706.682:6): arch=c000003e syscall=2 success=no exit=-13 a0=7f1b9846b1c0 a1=0 a2=1b6 a3=0 items=0 ppid=1376 pid=1378 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null)

Hash String generated from  selinux-policy-3.6.32-118.fc12,catchall,named,named_t,var_t,file,read
audit2allow suggests:

#============= named_t ==============
allow named_t var_t:file read;

Comment 1 Miroslav Grepl 2010-06-30 18:50:20 UTC
did you try to execute

# restorecon -R -v /var/named
# restorecon -R -v /chroot/named/var/named/

Looks like #602992 bug.

Comment 2 Mijax 2010-07-01 05:08:17 UTC
Yes, I tried to repair it like #602992 bug, but wasn't.
When i execute commands contain "fcontext -e" such as:

# semanage fcontext -a -e /var/named /chroot/named/var/named


# semanage fcontext -d -e /var/named /chroot/named/var/named
# semanage fcontext -a -e /var/named/chroot /chroot/named

get me error:

-e not valid for fcontext objects

Comment 3 Mijax 2010-07-01 08:12:20 UTC
Problem solved.

I executed:

# semanage fcontext -a -e /var/named/chroot /chroot/named

And saw policycoreutils-python crashed(#529289 bug - related to /usr/sbin/semanage). With updating policycoreutils, fixed.

Then I executed:

# restorecon -R -v /chroot/named/var/named/
# semanage fcontext -a -t var_t '/chroot(/.*)?'
# semanage fcontext -a -e /var/named/chroot /chroot/named
# restorecon -R -v /chroot
# setsebool -P named_write_master_zones=1

and the problem fixed Look like #602992 bug.

Comment 4 Miroslav Grepl 2010-07-04 22:01:57 UTC
Ok, I am closing it as DUPLICATE.

*** This bug has been marked as a duplicate of bug 602992 ***

Comment 5 RP Exploit 2010-07-11 07:16:15 UTC
I do top commands, but when i execute:
# restorecon -R -v /chroot

is shown this output:

restorecon reset /chroot/named/etc/named.conf context unconfined_u:object_r:etc_t:s0->system_u:object_r:named_conf_t:s0
restorecon set context /chroot/named/etc/named.conf->system_u:object_r:named_conf_t:s0 failed:'Operation not permitted'

what should i do?

policycoreutils,selinux-policy & selinux-policy-targeted is update.

Note You need to log in before you can comment on or make changes to this bug.