Bug 1221677

Summary: named open_socket permission denied
Product: [Fedora] Fedora Reporter: Morten Stevens <mstevens>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: dominick.grift, dwalsh, lvrabec, mgrepl, mstevens, vmojzis
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 09:11:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Morten Stevens 2015-05-14 14:20:45 UTC 
Description of problem:

The bug is similar to: https://bugzilla.redhat.com/show_bug.cgi?id=1103439

Version-Release number of selected component (if applicable):

selinux-policy-3.13.1-126.fc22.noarch
bind-9.10.2-1.fc22.x86_64
kernel-4.0.2-300.fc22.x86_64

Actual results:

May 14 01:47:17 proxy named[1253]: dispatch 0x7f1bec382f60: open_socket(0.0.0.0#8554) -> permission denied: continuing
May 14 02:21:33 proxy named[1252]: dispatch 0x7fdf38091150: open_socket(0.0.0.0#8554) -> permission denied: continuing
May 14 03:01:26 proxy named[1252]: dispatch 0x7fdf3837d360: open_socket(::#5546) -> permission denied: continuing
May 14 03:23:33 proxy named[1252]: dispatch 0x7fdf38092ff0: open_socket(0.0.0.0#4444) -> permission denied: continuing
May 14 03:48:51 proxy named[1252]: dispatch 0x7fdf38091150: open_socket(0.0.0.0#4444) -> permission denied: continuing
May 14 04:11:08 proxy named[1252]: dispatch 0x7fdf38091150: open_socket(0.0.0.0#8554) -> permission denied: continuing
May 14 05:22:34 proxy named[1252]: dispatch 0x7fdf38093610: open_socket(0.0.0.0#4444) -> permission denied: continuing
May 14 05:31:47 proxy named[1252]: dispatch 0x7fdf38046b70: open_socket(0.0.0.0#5546) -> permission denied: continuing
May 14 06:12:00 proxy named[1252]: dispatch 0x7fdf38045f30: open_socket(0.0.0.0#5546) -> permission denied: continuing
May 14 09:41:31 proxy named[1252]: dispatch 0x7fdf38046b70: open_socket(0.0.0.0#4444) -> permission denied: continuing
May 14 09:44:17 proxy named[1252]: dispatch 0x7fdf38091770: open_socket(0.0.0.0#5546) -> permission denied: continuing
May 14 10:18:31 proxy named[1252]: dispatch 0x7fdf3837aea0: open_socket(::#4444) -> permission denied: continuing
May 14 10:25:13 proxy named[1252]: dispatch 0x7fdf38046b70: open_socket(0.0.0.0#5546) -> permission denied: continuing
May 14 11:22:07 proxy named[1252]: dispatch 0x7fdf38385a20: open_socket(0.0.0.0#5546) -> permission denied: continuing
May 14 11:52:40 proxy named[1252]: dispatch 0x7fdf38092ff0: open_socket(0.0.0.0#4444) -> permission denied: continuing
May 14 12:12:39 proxy named[1252]: dispatch 0x7fdf383847c0: open_socket(0.0.0.0#8554) -> permission denied: continuing
May 14 12:58:47 proxy named[1252]: dispatch 0x7fdf383847c0: open_socket(0.0.0.0#8554) -> permission denied: continuing
May 14 13:50:03 proxy named[1252]: dispatch 0x7fdf38380460: open_socket(::#5546) -> permission denied: continuing
May 14 14:57:24 proxy named[1252]: dispatch 0x7fdf38092ff0: open_socket(0.0.0.0#4444) -> permission denied: continuing

Expected results:

no permission denied warning
Comment 1 Miroslav Grepl 2015-05-18 07:52:05 UTC 
Morten,
what AVC are you getting?
Comment 2 Morten Stevens 2015-05-18 11:44:45 UTC 
(In reply to Miroslav Grepl from comment #1)
> Morten,
> what AVC are you getting?

Hi Miroslav,

After enabling silent denials (semodule -DB):

May 18 13:15:41 proxy audit: <audit-1400> avc:  denied  { name_bind } for  pid=1256 comm="named" src=5546 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:dhcpc_port_t:s0 tclass=udp_socket permissive=0
May 18 13:15:41 proxy named[1252]: dispatch 0x7f1b9000f4a0: open_socket(0.0.0.0#5546) -> permission denied: continuing
Comment 3 Vit Mojzis 2015-11-19 09:11:43 UTC 

*** This bug has been marked as a duplicate of bug 1272835 ***