It appears that rndc and chroot named don't mix nicely.
I got these denials:
May 10 15:07:08 goalkeeper kernel: audit(1147270028.236:15088): avc:
denied { read } for pid=19767 comm="rndc" name="rndc.conf" dev=dm-0
ino=381773 scontext=root:system_r:ndc_t:s0
tcontext=system_u:object_r:named_conf_t:s0 tclass=lnk_file
May 10 15:07:08 goalkeeper kernel: audit(1147270028.272:15089): avc:
denied { read } for pid=19767 comm="rndc" name="rndc.key" dev=dm-0
ino=381783 scontext=root:system_r:ndc_t:s0
tcontext=system_u:object_r:dnssec_t:s0 tclass=lnk_file
because rndc isn't allowed to follow symlinks into the chroot named
environment:
$ ls -lZ /etc/rndc.*
lrwxrwxrwx root named system_u:object_r:named_conf_t
/etc/rndc.conf -> /var/named/chroot//etc/rndc.conf
lrwxrwxrwx root named system_u:object_r:dnssec_t
/etc/rndc.key -> /var/named/chroot/etc/rndc.key
$ ls -lZL /etc/rndc.*
-rw-r----- root named system_u:object_r:named_conf_t
/etc/rndc.conf
-rw-r----- root named system_u:object_r:dnssec_t /etc/rndc.key
I think ndc_t should be able to follow these links.
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list