Description of problem: I use script https://raw.github.com/openshift/openshift-extras/enterprise-1.2/enterprise/install-scripts/generic/openshift.sh to install and setup OpenShift. Part of the setup deals with bind and I've seen AVC denials in the logs. Upon minimizing the steps needed to trigger the AVC denials, possible scenario seems to be: create file /var/named/example.com.key and start and stop named. Version-Release number of selected component (if applicable): bind-9.8.2-0.17.rc1.el6.x86_64 How reproducible: Deterministic. Steps to Reproduce: 1. Have fresh RHEL 6.4, install named, start and stop the service, observe no AVC denials. 2. Run cat <<EOF > /var/named/example.com.key key example.com { algorithm HMAC-MD5; secret "/CqpJiaetYjJm404sZ4yxW+gkERUXlTUMebpEhADhpWBFqF3/BJad6FwnQ26s7F5e4KgqQuLcpf+cyWUOgS6Gw=="; }; EOF 3. Run chown named:named -R /var/named ; restorecon -rv /var/named 3. Run service named start ; service named stop Actual results: During start type=AVC msg=audit(1369208774.561:649): avc: denied { write } for pid=51034 comm="named" name="named" dev=dm-0 ino=655545 scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir and during stop type=AVC msg=audit(1369208780.004:650): avc: denied { add_name } for pid=51005 comm="named" name="tmp-vU5tcY2pO7" scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir type=AVC msg=audit(1369208780.004:650): avc: denied { create } for pid=51005 comm="named" name="tmp-vU5tcY2pO7" scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:named_zone_t:s0 tclass=file type=AVC msg=audit(1369208780.004:650): avc: denied { write } for pid=51005 comm="named" name="tmp-vU5tcY2pO7" dev=dm-0 ino=655567 scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:named_zone_t:s0 tclass=file type=AVC msg=audit(1369208780.005:651): avc: denied { remove_name } for pid=51011 comm="named" name="tmp-83XPiFz8pp" dev=dm-0 ino=655572 scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir type=AVC msg=audit(1369208780.005:651): avc: denied { unlink } for pid=51011 comm="named" name="tmp-83XPiFz8pp" dev=dm-0 ino=655572 scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:named_zone_t:s0 tclass=file under permissive. In enforcing mode, only the first write AVC during start is logged. Expected results: No AVC denials. Additional info: I am aware of bug 545128 but note that I'm not setting slaves so I believe the named_write_master_zones does not apply. For the same reason I'm filing the bug against bind and not selinux-policy-targeted. Note that the (what appears to be) temporary file gets created and removed. Upon subsequent start / stop, the AVC denial does not happen. However, if you remove the file and stop it again, it will happen again. It is well possible that the key file should not be in this directory and that the openshift.sh script should be amended to put it elsewhere. In that case we'd appreciate hint about the correct configuration.
The problem seems to be that you are changing the owner of /var/named recursively. Owner of /var/named and some files in it should be "root". # rpm -V bind S.5....T. c /etc/named.conf .....U... /var/named .....U... c /var/named/named.ca .....U... c /var/named/named.empty .....U... c /var/named/named.localhost .....U... c /var/named/named.loopback So you should change only group using 'chgrp' or set owner:group only to the file you created. If you don't mind I would like to close this Bug as NOTABUG.
(In reply to Tomas Hozza from comment #1) > The problem seems to be that you are changing the owner of /var/named > recursively. Owner of /var/named and some files in it should be "root". > > # rpm -V bind > S.5....T. c /etc/named.conf > .....U... /var/named > .....U... c /var/named/named.ca > .....U... c /var/named/named.empty > .....U... c /var/named/named.localhost > .....U... c /var/named/named.loopback > > So you should change only group using 'chgrp' or set owner:group only to > the file you created. Thank you very much for the investigation, Tomáš. > If you don't mind I would like to close this Bug as NOTABUG. Actually, what I will do is move the bug to the OpenShift Enterprise product. It looks like https://raw.github.com/openshift/openshift-extras/enterprise-1.2/enterprise/install-scripts/generic/openshift.sh shouldn't chown named:named -R /var/named the whole directory. Could the script be amended?
https://github.com/openshift/openshift-extras/pull/21
Fix has been merged for openshift-extras (install scripts) https://github.com/openshift/puppet-openshift_origin/pull/64 submitted for puppet module.
(In reply to Jason DeTiberus from comment #5) > Fix has been merged for openshift-extras (install scripts) I confirm that the fix 61a3ffd938e0097af79e815de9b3b1b4d5bf5672 addressed the AVC issue. Thanks! Should I mark the bugzilla VERIFIED?
(In reply to Jan Pazdziora from comment #6) > (In reply to Jason DeTiberus from comment #5) > > Fix has been merged for openshift-extras (install scripts) > > I confirm that the fix 61a3ffd938e0097af79e815de9b3b1b4d5bf5672 addressed > the AVC issue. Thanks! > > Should I mark the bugzilla VERIFIED? I would wait until after the puppet changes are merged, since it fixes the same behavior.
Can you check if this is referencing in our product documentation? If so, we'll need to update it.
https://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/1/html/Deployment_Guide/sect-OpenShift_Enterprise-Deployment_Guide-Configuring_BIND_and_DNS-Configuring_Sub_domain_Hostname_Resolution.html Procedure 5.4 Step 2 needs to be updated as follows: >chown -Rv named:named /var/named Should be changed to: >chgrp named -R /var/named >chown named -R /var/named/dynamic
Alex, can you track this for the 1.2 documentation release?
(In reply to Brenton Leanhardt from comment #10) > Alex, can you track this for the 1.2 documentation release? Will do.