View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0003449 | CentOS-5 | selinux-policy-targeted | public | 2009-03-27 08:15 | 2009-09-02 08:43 |
Reporter | codebeard | Assigned To | |||
Priority | normal | Severity | major | Reproducibility | always |
Status | resolved | Resolution | fixed | ||
Product Version | 5.2 | ||||
Summary | 0003449: restorecon breaks selinux contexts in /var/named/chroot/proc (which is bind mounted to /proc so breaks that too) | ||||
Description | The /proc mount is set up to not be touched by restorecon. However, /var/named/chroot/proc inherits system_u:object_r:named_conf_t:s0, which then makes the main /proc filesystem a complete mess and causes thousands of SELinux denials from processes accessing their own file descriptors and sockets. There needs to be a '<<None>>' rule for /var/named/chroot/proc(/.*)? [root@gateway selinux]# semanage fcontext -l | grep ^/proc /proc/.* all files <<None>> /proc directory <<None>> [root@gateway selinux]# semanage fcontext -l | grep ^/var/named/chroot /var/named/chroot(/.*)? all files system_u:object_r:named_conf_t:s0 /var/named/chroot/etc(/.*)? all files system_u:object_r:named_conf_t:s0 /var/named/chroot/var/tmp(/.*)? all files system_u:object_r:named_cache_t:s0 /var/named/chroot/var/named(/.*)? all files system_u:object_r:named_zone_t:s0 /var/named/chroot/var/run/dbus(/.*)? all files system_u:object_r:system_dbusd_var_run_t:s0 /var/named/chroot/var/run/named.* all files system_u:object_r:named_var_run_t:s0 /var/named/chroot/var/named/data(/.*)? all files system_u:object_r:named_cache_t:s0 /var/named/chroot/var/named/slaves(/.*)? all files system_u:object_r:named_cache_t:s0 /var/named/chroot/var/log directory system_u:object_r:var_log_t:s0 /var/named/chroot/dev/zero character device system_u:object_r:zero_device_t:s0 /var/named/chroot/dev/null character device system_u:object_r:null_device_t:s0 /var/named/chroot/dev/random character device system_u:object_r:random_device_t:s0 /var/named/chroot/etc/rndc\.key regular file system_u:object_r:dnssec_t:s0 /var/named/chroot/var/named/named\.ca regular file system_u:object_r:named_conf_t:s0 | ||||
Tags | 5.4, fixed in 5.4 | ||||
That looks like a policy bug/enhancement which should be handled upstream. Would you mind opening a bug report at https://bugzilla.redhat.com/ for this issue and give us the link to that bug report here? Thank you. |
|
Thanks for your quick response. I wasn't really sure how bug reporting worked for CentOS... I haven't paid for RHEL so I wasn't sure if they'd accept bug reports upstream. Are they happy for CentOS users to submit bugs there? | |
Yes. They even have a box where you can check external bugreports which has the CentOS bug tracker in it. | |
https://bugzilla.redhat.com/show_bug.cgi?id=492567 | |
Will be fixed in 5.4 | |
Fixed by upstream, expect new packages soon. | |
Date Modified | Username | Field | Change |
---|---|---|---|
2009-03-27 08:15 | codebeard | New Issue | |
2009-03-27 11:33 |
|
Note Added: 0008959 | |
2009-03-27 11:33 |
|
Status | new => feedback |
2009-03-27 11:36 | codebeard | Note Added: 0008961 | |
2009-03-27 11:58 |
|
Note Added: 0008962 | |
2009-03-27 14:03 | codebeard | Note Added: 0008963 | |
2009-04-01 20:04 |
|
Note Added: 0008989 | |
2009-04-01 20:05 |
|
Status | feedback => confirmed |
2009-04-01 20:05 |
|
Tag Attached: 5.4 | |
2009-04-06 10:11 |
|
Tag Attached: fixed in 5.4 | |
2009-09-02 08:43 |
|
Note Added: 0009858 | |
2009-09-02 08:43 |
|
Status | confirmed => resolved |
2009-09-02 08:43 |
|
Resolution | open => fixed |