On Wed, 2006-05-10 at 15:38 -0400, Daniel J Walsh wrote:
> Paul Howarth wrote:
> > It appears that rndc and chroot named don't mix nicely.
> >
> > I got these denials:
> >
> > May 10 15:07:08 goalkeeper kernel: audit(1147270028.236:15088): avc:
> > denied { read } for pid=19767 comm="rndc" name="rndc.conf" dev=dm-0
> > ino=381773 scontext=root:system_r:ndc_t:s0
> > tcontext=system_u:object_r:named_conf_t:s0 tclass=lnk_file
> >
> > May 10 15:07:08 goalkeeper kernel: audit(1147270028.272:15089): avc:
> > denied { read } for pid=19767 comm="rndc" name="rndc.key" dev=dm-0
> > ino=381783 scontext=root:system_r:ndc_t:s0
> > tcontext=system_u:object_r:dnssec_t:s0 tclass=lnk_file
> >
> > because rndc isn't allowed to follow symlinks into the chroot named
> > environment:
> >
> > $ ls -lZ /etc/rndc.*
> > lrwxrwxrwx root named system_u:object_r:named_conf_t
> > /etc/rndc.conf -> /var/named/chroot//etc/rndc.conf
> > lrwxrwxrwx root named system_u:object_r:dnssec_t /etc/rndc.key
> > -> /var/named/chroot/etc/rndc.key
> >
> > $ ls -lZL /etc/rndc.*
> > -rw-r----- root named system_u:object_r:named_conf_t
> > /etc/rndc.conf
> > -rw-r----- root named system_u:object_r:dnssec_t
> > /etc/rndc.key
> >
> > I think ndc_t should be able to follow these links.
> >
> Those links should be etc_t?
Hmm, you're right:
# restorecon -v /etc/rndc.*
restorecon reset /etc/rndc.conf context
system_u:object_r:named_conf_t->system_u:object_r:etc_t
restorecon reset /etc/rndc.key context
system_u:object_r:dnssec_t->system_u:object_r:etc_t
I wonder how they got those contexts?
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
