View Issue Details

IDProjectCategoryView StatusLast Update
0003449CentOS-5selinux-policy-targetedpublic2009-09-02 08:43
Reportercodebeard 
PrioritynormalSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version5.2 
Target VersionFixed in Version 
Summary0003449: restorecon breaks selinux contexts in /var/named/chroot/proc (which is bind mounted to /proc so breaks that too)
DescriptionThe /proc mount is set up to not be touched by restorecon. However, /var/named/chroot/proc inherits system_u:object_r:named_conf_t:s0, which then makes the main /proc filesystem a complete mess and causes thousands of SELinux denials from processes accessing their own file descriptors and sockets.

There needs to be a '<<None>>' rule for /var/named/chroot/proc(/.*)?

[root@gateway selinux]# semanage fcontext -l | grep ^/proc
/proc/.* all files <<None>>
/proc directory <<None>>
[root@gateway selinux]# semanage fcontext -l | grep ^/var/named/chroot
/var/named/chroot(/.*)? all files system_u:object_r:named_conf_t:s0
/var/named/chroot/etc(/.*)? all files system_u:object_r:named_conf_t:s0
/var/named/chroot/var/tmp(/.*)? all files system_u:object_r:named_cache_t:s0
/var/named/chroot/var/named(/.*)? all files system_u:object_r:named_zone_t:s0
/var/named/chroot/var/run/dbus(/.*)? all files system_u:object_r:system_dbusd_var_run_t:s0
/var/named/chroot/var/run/named.* all files system_u:object_r:named_var_run_t:s0
/var/named/chroot/var/named/data(/.*)? all files system_u:object_r:named_cache_t:s0
/var/named/chroot/var/named/slaves(/.*)? all files system_u:object_r:named_cache_t:s0
/var/named/chroot/var/log directory system_u:object_r:var_log_t:s0
/var/named/chroot/dev/zero character device system_u:object_r:zero_device_t:s0
/var/named/chroot/dev/null character device system_u:object_r:null_device_t:s0
/var/named/chroot/dev/random character device system_u:object_r:random_device_t:s0
/var/named/chroot/etc/rndc\.key regular file system_u:object_r:dnssec_t:s0
/var/named/chroot/var/named/named\.ca regular file system_u:object_r:named_conf_t:s0
Tags5.4, fixed in 5.4

Activities

range

range

2009-03-27 11:33

administrator   ~0008959

That looks like a policy bug/enhancement which should be handled upstream. Would you mind opening a bug report at https://bugzilla.redhat.com/ for this issue and give us the link to that bug report here?

Thank you.
codebeard

codebeard

2009-03-27 11:36

reporter   ~0008961

Thanks for your quick response. I wasn't really sure how bug reporting worked for CentOS... I haven't paid for RHEL so I wasn't sure if they'd accept bug reports upstream. Are they happy for CentOS users to submit bugs there?
range

range

2009-03-27 11:58

administrator   ~0008962

Yes. They even have a box where you can check external bugreports which has the CentOS bug tracker in it.
codebeard

codebeard

2009-03-27 14:03

reporter   ~0008963

https://bugzilla.redhat.com/show_bug.cgi?id=492567
range

range

2009-04-01 20:04

administrator   ~0008989

Will be fixed in 5.4
range

range

2009-09-02 08:43

administrator   ~0009858

Fixed by upstream, expect new packages soon.

Issue History

Date Modified Username Field Change
2009-03-27 08:15 codebeard New Issue
2009-03-27 11:33 range Note Added: 0008959
2009-03-27 11:33 range Status new => feedback
2009-03-27 11:36 codebeard Note Added: 0008961
2009-03-27 11:58 range Note Added: 0008962
2009-03-27 14:03 codebeard Note Added: 0008963
2009-04-01 20:04 range Note Added: 0008989
2009-04-01 20:05 range Status feedback => confirmed
2009-04-01 20:05 range Tag Attached: 5.4
2009-04-06 10:11 range Tag Attached: fixed in 5.4
2009-09-02 08:43 range Note Added: 0009858
2009-09-02 08:43 range Status confirmed => resolved
2009-09-02 08:43 range Resolution open => fixed