https://bugzilla.suse.com/show_bug.cgi?id=1228372 https://bugzilla.suse.com/show_bug.cgi?id=1228372#c6 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS --- Comment #6 from Johannes Segitz <jsegitz@suse.com> --- What you did already looks quite good. I could get a chroot config to run with chcon --reference=/etc/named.conf /var/lib/named/etc/named.conf chown named:named /var/lib/named/var/lib/named chcon -t named_zone_t /var/lib/named/var/lib/named semanage boolean -m --on named_write_master_zones mkdir -p etc/crypto-policies/back-ends cp /etc/crypto-policies/back-ends/bind.config etc/crypto-policies/back-ends chcon -t named_conf_t etc/crypto-policies/back-ends/bind.config chown root:named var/run/named chcon -t named_var_run_t var/run/named chmod --reference=/var/run/named var/run/named/ chmod --reference=dyn var/lib/named/dyn chcon --reference=dyn var/lib/named/dyn chown --reference dyn var/lib/named/dyn/ chcon -t named_cache_t var/lib/named/dyn after that my basic config starts without AVCs. We'll need to adjust the labeling rules for the non-chroot case. And I'll talk to the maintainer if the chroot setting is still supported -- You are receiving this mail because: You are on the CC list for the bug.