Bug 1293140

These avc's you list are not all because of nsd4 package problems (nsd-control not enabled).

For nsd-control I added following:

b/policy/modules/kernel/corenetwork.te.in

 network_port(neutron, tcp, 8775, s0, tcp,9696,s0, tcp,9697,s0)
+network_port(nsd_control, tcp,8952,s0)
 network_port(radacct, udp,1646,s0, tcp,1646,s0, tcp,1813,s0, udp,1813,s0)

Created attachment 1109788 [details]
Patch to add necessary changes for nsd-4.x

I can confirm it. I've patched just two days ago to enable the nsd_control port

PS: Probably all files .zone in /etc/nsd should be considered zone files

Did my patch and copy-paste from cornetwork.te.in change include everything necessary for adding nsd-4.x support?

Following lines are present in /etc/nsd/nsd.conf file:

	# log messages to file. Default to stderr and syslog (with
	# logfile: "/var/log/nsd.log"
	# statistics are produced every number of seconds. Prints to log.
	# log timestamp in ascii (y-m-d h:m:s.msec), yes is default.
	# log-time-ascii: yes

After uncommenting of the "logfile:" line, the automated TC triggers yet another SELinux denial in enforcing mode:
----
type=PATH msg=audit(01/29/2016 08:04:25.419:215) : item=1 name=/var/log/nsd.log objtype=CREATE 
type=PATH msg=audit(01/29/2016 08:04:25.419:215) : item=0 name=/var/log/ inode=16777373 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_log_t:s0 objtype=PARENT 
type=CWD msg=audit(01/29/2016 08:04:25.419:215) :  cwd=/etc/nsd 
type=SYSCALL msg=audit(01/29/2016 08:04:25.419:215) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7f8a132985c8 a1=O_WRONLY|O_CREAT|O_APPEND a2=0666 a3=0x24 items=2 ppid=1 pid=13538 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=nsd exe=/usr/sbin/nsd subj=system_u:system_r:nsd_t:s0 key=(null) 
type=AVC msg=audit(01/29/2016 08:04:25.419:215) : avc:  denied  { write } for  pid=13538 comm=nsd name=log dev="vda2" ino=16777373 scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir 
----

It happens because selinux-policy does not define a type for nsd log files:

# seinfo -t | grep ' nsd'
   nsd_var_run_t
   nsd_exec_t
   nsd_zone_t
   nsd_crond_t
   nsd_conf_t
   nsd_t
# semanage fcontext -l | grep log/nsd
#

SELinux denials caught in permissive mode when repeating what's described in comment#7:
----
time->Fri Jan 29 08:12:39 2016
type=PATH msg=audit(1454051559.334:275): item=1 name="/var/log/nsd.log" inode=18361660 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_log_t:s0 objtype=CREATE
type=PATH msg=audit(1454051559.334:275): item=0 name="/var/log/" inode=16777373 dev=fd:02 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_log_t:s0 objtype=PARENT
type=CWD msg=audit(1454051559.334:275):  cwd="/etc/nsd"
type=SYSCALL msg=audit(1454051559.334:275): arch=c000003e syscall=2 success=yes exit=3 a0=7f94005105c8 a1=441 a2=1b6 a3=24 items=2 ppid=1 pid=27604 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nsd" exe="/usr/sbin/nsd" subj=system_u:system_r:nsd_t:s0 key=(null)
type=AVC msg=audit(1454051559.334:275): avc:  denied  { open } for  pid=27604 comm="nsd" path="/var/log/nsd.log" dev="vda2" ino=18361660 scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1454051559.334:275): avc:  denied  { create } for  pid=27604 comm="nsd" name="nsd.log" scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1454051559.334:275): avc:  denied  { add_name } for  pid=27604 comm="nsd" name="nsd.log" scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
type=AVC msg=audit(1454051559.334:275): avc:  denied  { write } for  pid=27604 comm="nsd" name="log" dev="vda2" ino=16777373 scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
----
time->Fri Jan 29 08:12:39 2016
type=PATH msg=audit(1454051559.334:276): item=0 name="/var/log/nsd.log" inode=18361660 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_log_t:s0 objtype=NORMAL
type=CWD msg=audit(1454051559.334:276):  cwd="/etc/nsd"
type=SYSCALL msg=audit(1454051559.334:276): arch=c000003e syscall=92 success=yes exit=0 a0=7f94005105c8 a1=383 a2=376 a3=1 items=1 ppid=1 pid=27604 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nsd" exe="/usr/sbin/nsd" subj=system_u:system_r:nsd_t:s0 key=(null)
type=AVC msg=audit(1454051559.334:276): avc:  denied  { setattr } for  pid=27604 comm="nsd" name="nsd.log" dev="vda2" ino=18361660 scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
----

As normal, all combinations were not tested. I don't use log to file so I haven't hit that one. My fixes were to get nsd-4.x working with out of the box config.

This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions

The new package does not seem to be available on RHN yet.  When will it be published?  Until then, is there any way to download and install it manually?

*** Bug 1302951 has been marked as a duplicate of this bug. ***

Still waiting for word on when I can expect this fix to be published.  My RHEL7 systems have 3.13.1-60.9, with no mention of this bug in the changelog.

Your systems most likely have selinux-policy-3.13.1-60.el7_2.9 but the fix is present in selinux-policy-3.13.1-69.el7 which will be part of RHEL-7.3.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html