rndc and chroot
Daniel J Walsh
dwalsh at redhat.com
Wed May 10 19:38:36 UTC 2006
Paul Howarth wrote:
> It appears that rndc and chroot named don't mix nicely.
>
> I got these denials:
>
> May 10 15:07:08 goalkeeper kernel: audit(1147270028.236:15088): avc:
> denied { read } for pid=19767 comm="rndc" name="rndc.conf" dev=dm-0
> ino=381773 scontext=root:system_r:ndc_t:s0
> tcontext=system_u:object_r:named_conf_t:s0 tclass=lnk_file
>
> May 10 15:07:08 goalkeeper kernel: audit(1147270028.272:15089): avc:
> denied { read } for pid=19767 comm="rndc" name="rndc.key" dev=dm-0
> ino=381783 scontext=root:system_r:ndc_t:s0
> tcontext=system_u:object_r:dnssec_t:s0 tclass=lnk_file
>
> because rndc isn't allowed to follow symlinks into the chroot named
> environment:
>
> $ ls -lZ /etc/rndc.*
> lrwxrwxrwx root named system_u:object_r:named_conf_t
> /etc/rndc.conf -> /var/named/chroot//etc/rndc.conf
> lrwxrwxrwx root named system_u:object_r:dnssec_t /etc/rndc.key
> -> /var/named/chroot/etc/rndc.key
>
> $ ls -lZL /etc/rndc.*
> -rw-r----- root named system_u:object_r:named_conf_t
> /etc/rndc.conf
> -rw-r----- root named system_u:object_r:dnssec_t
> /etc/rndc.key
>
> I think ndc_t should be able to follow these links.
>
Those links should be etc_t?
> Paul.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list