0003449: restorecon breaks selinux contexts in /var/named/chroot/proc (which is bind mounted to /proc so breaks that too) - CentOS Bug Tracker

ID	Project	Category	View Status	Date Submitted	Last Update

0003449	CentOS-5	selinux-policy-targeted	public	2009-03-27 08:15	2009-09-02 08:43

Reporter	codebeard
Priority	normal	Severity	major	Reproducibility	always
Status	resolved	Resolution	fixed
Product Version	5.2
Target Version		Fixed in Version

Summary	0003449: restorecon breaks selinux contexts in /var/named/chroot/proc (which is bind mounted to /proc so breaks that too)
Description	The /proc mount is set up to not be touched by restorecon. However, /var/named/chroot/proc inherits system_u:object_r:named_conf_t:s0, which then makes the main /proc filesystem a complete mess and causes thousands of SELinux denials from processes accessing their own file descriptors and sockets. There needs to be a '<<None>>' rule for /var/named/chroot/proc(/.)? [root@gateway selinux]# semanage fcontext -l \| grep ^/proc /proc/. all files <<None>> /proc directory <<None>> [root@gateway selinux]# semanage fcontext -l \| grep ^/var/named/chroot /var/named/chroot(/.)? all files system_u:object_r:named_conf_t:s0 /var/named/chroot/etc(/.)? all files system_u:object_r:named_conf_t:s0 /var/named/chroot/var/tmp(/.)? all files system_u:object_r:named_cache_t:s0 /var/named/chroot/var/named(/.)? all files system_u:object_r:named_zone_t:s0 /var/named/chroot/var/run/dbus(/.)? all files system_u:object_r:system_dbusd_var_run_t:s0 /var/named/chroot/var/run/named. all files system_u:object_r:named_var_run_t:s0 /var/named/chroot/var/named/data(/.)? all files system_u:object_r:named_cache_t:s0 /var/named/chroot/var/named/slaves(/.)? all files system_u:object_r:named_cache_t:s0 /var/named/chroot/var/log directory system_u:object_r:var_log_t:s0 /var/named/chroot/dev/zero character device system_u:object_r:zero_device_t:s0 /var/named/chroot/dev/null character device system_u:object_r:null_device_t:s0 /var/named/chroot/dev/random character device system_u:object_r:random_device_t:s0 /var/named/chroot/etc/rndc\.key regular file system_u:object_r:dnssec_t:s0 /var/named/chroot/var/named/named\.ca regular file system_u:object_r:named_conf_t:s0
Tags	5.4, fixed in 5.4

range 2009-03-27 11:33 administrator ~0008959	That looks like a policy bug/enhancement which should be handled upstream. Would you mind opening a bug report at https://bugzilla.redhat.com/ for this issue and give us the link to that bug report here? Thank you.

codebeard 2009-03-27 11:36 reporter ~0008961	Thanks for your quick response. I wasn't really sure how bug reporting worked for CentOS... I haven't paid for RHEL so I wasn't sure if they'd accept bug reports upstream. Are they happy for CentOS users to submit bugs there?

range 2009-03-27 11:58 administrator ~0008962	Yes. They even have a box where you can check external bugreports which has the CentOS bug tracker in it.

codebeard 2009-03-27 14:03 reporter ~0008963	https://bugzilla.redhat.com/show_bug.cgi?id=492567

range 2009-04-01 20:04 administrator ~0008989	Will be fixed in 5.4

range 2009-09-02 08:43 administrator ~0009858	Fixed by upstream, expect new packages soon.

Date Modified	Username	Field	Change
2009-03-27 08:15	codebeard	New Issue
2009-03-27 11:33	range	Note Added: 0008959
2009-03-27 11:33	range	Status	new => feedback
2009-03-27 11:36	codebeard	Note Added: 0008961
2009-03-27 11:58	range	Note Added: 0008962
2009-03-27 14:03	codebeard	Note Added: 0008963
2009-04-01 20:04	range	Note Added: 0008989
2009-04-01 20:05	range	Status	feedback => confirmed
2009-04-01 20:05	range	Tag Attached: 5.4
2009-04-06 10:11	range	Tag Attached: fixed in 5.4
2009-09-02 08:43	range	Note Added: 0009858
2009-09-02 08:43	range	Status	confirmed => resolved
2009-09-02 08:43	range	Resolution	open => fixed