Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 611946

Summary: net-dns/bind chroot issue with SELinux : / gets relabeled to default_t
Product: Gentoo Linux Reporter: jack_mort <jackmort37>
Component: SELinuxAssignee: SE Linux Bugs <selinux>
Status: UNCONFIRMED ---    
Severity: normal CC: alexander, chutzpah, jstein, zlogene
Priority: Normal    
Version: unspecified   
Hardware: AMD64   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description jack_mort 2017-03-07 10:40:57 UTC 
Hi,

When I start named in CHROOT environment, / gets automatically relabeled to default_t instead of root_t. Then a flow of AVC denials comes because of wrong type on root filesystem.

Latest policies are installed: 2.20170204-r2

The issue is there since quite some time, and default context seems fine :

gateway files # semanage fcontext -l | grep root_t
/                                                  directory          system_u:object_r:root_t

Maybe the culpit could be this default rule:
gateway files # semanage fcontext -l | grep default_t
/.*                                                all files          system_u:object_r:default_t

Portage 2.3.4 (python 3.5.3-final-0, hardened/linux/amd64/selinux, gcc-5.4.0, glibc-2.23-r3, 4.9.13-hardened x86_64)
=================================================================
System uname: Linux-4.9.13-hardened-x86_64-Intel-R-_Atom-TM-_CPU_C2550_@_2.40GHz-with-gentoo-2.3
KiB Mem:     4015324 total,    566384 free
KiB Swap:   19607548 total,  19607548 free
Timestamp of repository gentoo: Tue, 07 Mar 2017 09:00:01 +0000
sh bash 4.4_p12
ld GNU ld (Gentoo 2.27 p1.0) 2.27
ccache version 3.3.4 [enabled]
app-shells/bash:          4.4_p12::gentoo
dev-java/java-config:     2.2.0-r3::gentoo
dev-lang/perl:            5.24.1-r1::gentoo
dev-lang/python:          2.7.13::gentoo, 3.5.3::gentoo
dev-util/ccache:          3.3.4::gentoo
dev-util/cmake:           3.7.2::gentoo
dev-util/pkgconfig:       0.29.1::gentoo
sys-apps/baselayout:      2.3::gentoo
sys-apps/openrc:          0.23.2::gentoo
sys-apps/sandbox:         2.10-r3::gentoo
sys-devel/autoconf:       2.69-r2::gentoo
sys-devel/automake:       1.13.4-r1::gentoo, 1.15-r2::gentoo
sys-devel/binutils:       2.27::gentoo
sys-devel/gcc:            5.4.0-r3::gentoo
sys-devel/gcc-config:     1.8-r1::gentoo
sys-devel/libtool:        2.4.6-r3::gentoo
sys-devel/make:           4.2.1::gentoo
sys-kernel/linux-headers: 4.10::gentoo (virtual/os-headers)
sys-libs/glibc:           2.23-r3::gentoo
Repositories:

gentoo
    location: /usr/portage
    sync-type: rsync
    sync-uri: rsync://rsync.gentoo.org/gentoo-portage
    priority: -1000

x-portage
    location: /usr/local/portage
    masters: gentoo
    priority: 0

ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="* -@EULA dlj-1.1 Oracle-BCLA-JavaSE"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /var/bind"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php7.1/ext-active/ /etc/php/cgi-php7.1/ext-active/ /etc/php/cli-php7.1/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=native -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs buildsyspkg ccache clean-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="fr_FR.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j5"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="acl acpi amd64 audit berkdb bzip2 caps ccache cli cracklib crypt cxx device-mapper fpm geoip gnutls hardened headless headless-awt iconv imap ipv6 jpeg justify ldap libav logrotate maildir multilib mysql mysqli ncurses nls nptl open_perms openmp pam pax_kernel pcre peer_perms php pie png python readline samba seccomp selinux session smp snmp spamassassin spell ssl ssp syslog tcpd threads truetype ubac unconfined unicode urandom usb xattr xml xtpax zlib" ABI_X86="32 64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="libinput keyboard mouse" KERNEL="linux" L10N="fr" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="fr" NGINX_MODULES_HTTP="access auth_basic autoindex browser cache_purge charset dav dav_ext empty_gif fastcgi geo gzip headers_more limit_conn limit_req map memcached proxy referer rewrite scgi split_clients ssi upstream_hash upstream_ip_hash upstream_keepalive upstream_least_conn upstream_zone userid uwsgi" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-1" PYTHON_SINGLE_TARGET="python3_5" PYTHON_TARGETS="python2_7 python3_5" RUBY_TARGETS="ruby21" USERLAND="GNU" VIDEO_CARDS="amdgpu fbdev intel nouveau radeon radeonsi vesa dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
USE_PYTHON="2.7 3.5"
Unset:  CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 1 Alexander Wetzel 2017-04-29 08:34:47 UTC 
That sounds very familiar! 
(I all but forgot the issue till now.)

Can you check out the patch provided in Bug 601510 and test, if that solves the issue? I'm sure your problem is a subset of the issues I reported in 601510 and we can merge the tickets. 

You also should be able to observe the other issues reported in the other ticket: Not be able to stop the bind service via the init script.
Comment 2 jack_mort 2017-05-03 15:39:28 UTC 
Thanks for pointing me to the other bug.
I saw the bug before opening mine, but I thought it was not retated to my issue.
After editing the init script, root context is not switched to default_t anymore !
I'll also add a comment on bug 601510 because your hack for stopping named daemon is not working for me.