[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

rndc and chroot



It appears that rndc and chroot named don't mix nicely.

I got these denials:

May 10 15:07:08 goalkeeper kernel: audit(1147270028.236:15088): avc: denied { read } for pid=19767 comm="rndc" name="rndc.conf" dev=dm-0 ino=381773 scontext=root:system_r:ndc_t:s0 tcontext=system_u:object_r:named_conf_t:s0 tclass=lnk_file

May 10 15:07:08 goalkeeper kernel: audit(1147270028.272:15089): avc: denied { read } for pid=19767 comm="rndc" name="rndc.key" dev=dm-0 ino=381783 scontext=root:system_r:ndc_t:s0 tcontext=system_u:object_r:dnssec_t:s0 tclass=lnk_file

because rndc isn't allowed to follow symlinks into the chroot named environment:

$ ls -lZ /etc/rndc.*
lrwxrwxrwx root named system_u:object_r:named_conf_t /etc/rndc.conf -> /var/named/chroot//etc/rndc.conf lrwxrwxrwx root named system_u:object_r:dnssec_t /etc/rndc.key -> /var/named/chroot/etc/rndc.key

$ ls -lZL /etc/rndc.*
-rw-r----- root named system_u:object_r:named_conf_t /etc/rndc.conf
-rw-r-----  root     named    system_u:object_r:dnssec_t       /etc/rndc.key

I think ndc_t should be able to follow these links.

Paul.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]