92312 – Bind does not run chrooted on selinux (+fix)

Bug 92312 - Bind does not run chrooted on selinux (+fix)

Summary: Bind does not run chrooted on selinux (+fix)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Hardened (show other bugs)
Hardware:	All All

Importance:	High normal (vote)
Assignee:	petre rodan (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2005-05-11 15:57 UTC by Daniel Thaler
Modified:	2005-05-26 03:13 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
modified named.fc (named.fc,2.79 KB, text/plain) 2005-05-11 15:58 UTC, Daniel Thaler	Details
modified named.te (named.te,4.59 KB, text/plain) 2005-05-11 15:59 UTC, Daniel Thaler	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniel Thaler 2005-05-11 15:57:53 UTC

The selinux policy for bind does not define any labels for the chroot dir and bind also wants cap_dac_read_search when chrooting.

I'm attaching my modified named.fc and named.te files
Note that I've hardcoded my chroot dir (/var/chroot/dns) in named.fc

Comment 1 Daniel Thaler 2005-05-11 15:58:37 UTC

Created attachment 58703 [details]
modified named.fc

Comment 2 Daniel Thaler 2005-05-11 15:59:04 UTC

Created attachment 58704 [details]
modified named.te

Comment 3 petre rodan (RETIRED) gentoo-dev

2005-05-26 03:13:24 UTC

ok, I haven't found any pointers in fhs for proper chroot tree placement, so
/var/chroot/dns is as good as any other location ;)

fix will be available shortly in selinux-bind-20050526

thanks for the bug report