Creating a SELinux policy for the named daemon in a chrooted BIND9 configuration

I recently configured chrooted BIND9 slave on RHEL6.4 64-bit, with SELinux enabled, with this enabled the named daemon failed to start, easily tested by disabling SELinux, and then starting it, which would then be successful.  So, I needed to create a SELinux policy for my chrooted named daemon.

First problem was finding audit2allow, with RHEL it comes bundle with SELinux policy core python utilities, discovered by doing:

[ root@foo mrfoo# yum provides /usr/sbin/semanage
 Loaded plugins: product-id, security, subscription-manager
 This system is receiving updates from Red Hat Subscription Management.
 rhel-6-server-cf-tools-1-rpms                                                                 
 rhel-6-server-rhev-agent-rpms                                                              
 rhel-6-server-rpms                                                                         
 rhel-6-server-rpms/primary_db                                                                
 policycoreutils-python-2.0.83-19.8.el6_0.x86_64 : SELinux policy core python utilities
 Repo        : rhel-6-server-rpms
 Matched from:
 Filename    : /usr/sbin/semanage
------------ SNIP -----------------

If you need to get it:

 [root@foo mrfoo]# yum install policycoreutils-python-2.0.83-19.30.el6.x86_64

Temporarily set SELinux to permissive mode – this will not survive reboots

 [root@foo ~]# echo 0 > /selinux/enforce

Check SELinux status

 [root@foo mroo]# sestatus
 SELinux status: enabled
 SELinuxfs mount: /selinux
 Current mode: permissive
 Mode from config file: enforcing
 Policy version: 24
 Policy from config file: targeted

Ok, we are good here, what we are going to do is keep the host running in permissive mode for a period of time, the errors will be captured in /var/log/audit.log, we then use the information in the audit.log to build a new SELinux security policy, a sort of learning mode if you like.

Now, for my chroot named issue I had a crap load of errors logged in audit.log

 type=AVC msg=audit(1378217553.839:23401): avc: denied { write } for pid=1999 comm="named" name="named" dev=dm-1 ino=104021 scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
 type=AVC msg=audit(1378217553.839:23401): avc: denied { add_name } for pid=1999 comm="named" name="tmp-wUrDUuYDBq" scontext=unconfined_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
 type=AVC msg=audit(1378217553.839:23401): avc: denied { create } for pid=1999 comm="named" name="tmp-wUrDUuYDBq" scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:named_zone_t:s0 tclass=file
 type=AVC msg=audit(1378217553.839:23401): avc: denied { write } for pid=1999 comm="named" name="tmp-wUrDUuYDBq" dev=dm-1 ino=104060 scontext=unconfined_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:named_zone_t:s0

You can also use this command to search audit logs

 [root@foo audit]# ausearch -m avc -c named

So, lets grep some of that log to create the basis for a our new SELinux policy

[root@foo audit]# grep named audit.log |audit2allow -m named > named.te

Now use this to create the policy

 [root@foo audit]# grep named audit.log |audit2allow -M namedchroot
 ******************** IMPORTANT ***********************
 To make this policy package active, execute:
semodule -i namedchroot.pp

Now load and make the module active, just as it suggests

 semodule -i namedchroot.pp

Check it is loaded

 [root@foo audit]# semodule -l
 namedchroot 1.0

Reboot and then do a few checks:

• The named daemon started without errors
• The audit.log to see if it is clear of errors for named
• That BIND is working, records transfer and the such like