rndc and chroot

Wed May 10 14:34:15 UTC 2006

It appears that rndc and chroot named don't mix nicely.

I got these denials:

May 10 15:07:08 goalkeeper kernel: audit(1147270028.236:15088): avc: 
denied  { read } for  pid=19767 comm="rndc" name="rndc.conf" dev=dm-0 
ino=381773 scontext=root:system_r:ndc_t:s0 
tcontext=system_u:object_r:named_conf_t:s0 tclass=lnk_file

May 10 15:07:08 goalkeeper kernel: audit(1147270028.272:15089): avc: 
denied  { read } for  pid=19767 comm="rndc" name="rndc.key" dev=dm-0 
ino=381783 scontext=root:system_r:ndc_t:s0 
tcontext=system_u:object_r:dnssec_t:s0 tclass=lnk_file

because rndc isn't allowed to follow symlinks into the chroot named 
environment:

$ ls -lZ /etc/rndc.*
lrwxrwxrwx  root     named    system_u:object_r:named_conf_t 
/etc/rndc.conf -> /var/named/chroot//etc/rndc.conf
lrwxrwxrwx  root     named    system_u:object_r:dnssec_t 
/etc/rndc.key -> /var/named/chroot/etc/rndc.key

$ ls -lZL /etc/rndc.*
-rw-r-----  root     named    system_u:object_r:named_conf_t 
/etc/rndc.conf
-rw-r-----  root     named    system_u:object_r:dnssec_t       /etc/rndc.key

I think ndc_t should be able to follow these links.

Paul.