View Issue Details

IDProjectCategoryView StatusLast Update
0003449CentOS-5selinux-policy-targetedpublic2009-09-02 08:43
Reportercodebeard Assigned To 
Status resolvedResolutionfixed 
Product Version5.2 
Summary0003449: restorecon breaks selinux contexts in /var/named/chroot/proc (which is bind mounted to /proc so breaks that too)
DescriptionThe /proc mount is set up to not be touched by restorecon. However, /var/named/chroot/proc inherits system_u:object_r:named_conf_t:s0, which then makes the main /proc filesystem a complete mess and causes thousands of SELinux denials from processes accessing their own file descriptors and sockets.

There needs to be a '<<None>>' rule for /var/named/chroot/proc(/.*)?

[root@gateway selinux]# semanage fcontext -l | grep ^/proc
/proc/.* all files <<None>>
/proc directory <<None>>
[root@gateway selinux]# semanage fcontext -l | grep ^/var/named/chroot
/var/named/chroot(/.*)? all files system_u:object_r:named_conf_t:s0
/var/named/chroot/etc(/.*)? all files system_u:object_r:named_conf_t:s0
/var/named/chroot/var/tmp(/.*)? all files system_u:object_r:named_cache_t:s0
/var/named/chroot/var/named(/.*)? all files system_u:object_r:named_zone_t:s0
/var/named/chroot/var/run/dbus(/.*)? all files system_u:object_r:system_dbusd_var_run_t:s0
/var/named/chroot/var/run/named.* all files system_u:object_r:named_var_run_t:s0
/var/named/chroot/var/named/data(/.*)? all files system_u:object_r:named_cache_t:s0
/var/named/chroot/var/named/slaves(/.*)? all files system_u:object_r:named_cache_t:s0
/var/named/chroot/var/log directory system_u:object_r:var_log_t:s0
/var/named/chroot/dev/zero character device system_u:object_r:zero_device_t:s0
/var/named/chroot/dev/null character device system_u:object_r:null_device_t:s0
/var/named/chroot/dev/random character device system_u:object_r:random_device_t:s0
/var/named/chroot/etc/rndc\.key regular file system_u:object_r:dnssec_t:s0
/var/named/chroot/var/named/named\.ca regular file system_u:object_r:named_conf_t:s0
Tags5.4, fixed in 5.4



2009-03-27 11:33


That looks like a policy bug/enhancement which should be handled upstream. Would you mind opening a bug report at for this issue and give us the link to that bug report here?

Thank you.


2009-03-27 11:36

reporter   ~0008961

Thanks for your quick response. I wasn't really sure how bug reporting worked for CentOS... I haven't paid for RHEL so I wasn't sure if they'd accept bug reports upstream. Are they happy for CentOS users to submit bugs there?


2009-03-27 11:58


Yes. They even have a box where you can check external bugreports which has the CentOS bug tracker in it.


2009-03-27 14:03

reporter   ~0008963


2009-04-01 20:04


Will be fixed in 5.4


2009-09-02 08:43


Fixed by upstream, expect new packages soon.

Issue History

Date Modified Username Field Change
2009-03-27 08:15 codebeard New Issue
2009-03-27 11:33 user430 Note Added: 0008959
2009-03-27 11:33 user430 Status new => feedback
2009-03-27 11:36 codebeard Note Added: 0008961
2009-03-27 11:58 user430 Note Added: 0008962
2009-03-27 14:03 codebeard Note Added: 0008963
2009-04-01 20:04 user430 Note Added: 0008989
2009-04-01 20:05 user430 Status feedback => confirmed
2009-04-01 20:05 user430 Tag Attached: 5.4
2009-04-06 10:11 user430 Tag Attached: fixed in 5.4
2009-09-02 08:43 user430 Note Added: 0009858
2009-09-02 08:43 user430 Status confirmed => resolved
2009-09-02 08:43 user430 Resolution open => fixed