Bug 239248
| Summary: | selinux denial on /dev/random | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Andrew Bartlett <abartlet> |
| Component: | bind | Assignee: | Adam Tkac <atkac> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> |
| Severity: | high | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | ovasik |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | 9.3.4-5.fc6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-05-22 16:07:47 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Looks like your /usr/sbin/named of /dev/random is mislabeled. Try "restorecon /usr/sbin/named && restorecon /dev/random" . On my up2date rawhide box named has object_r:named_exec_t context instead your user_u:system_r:named_t. Also attach output from "ls -Z /usr/sbin/named && ls -Z /dev/random". Regards, Adam Firstly, the NetworkManager issues seem unrelated and resolved, so that was a red herring. On the SELinux issue, the issue remains identical. I have restored the context on both /dev/random and /usr/sbin/named. Is this /dev/random or /var/named/chroot/dev/random? Looks like the labeling got screwed up some how. grep random /etc/selinux/targeted/contexts/files/file_contexts /dev/hwrng -c system_u:object_r:random_device_t:s0 /dev/random -c system_u:object_r:random_device_t:s0 /dev/urandom -c system_u:object_r:urandom_device_t:s0 /dev/hw_random -c system_u:object_r:random_device_t:s0 /var/run/random-seed -- system_u:object_r:initrc_var_run_t:s0 /var/named/chroot/dev/random -c system_u:object_r:random_device_t:s0 Should be random_device_t. If you're running bind in chroot, bind-chroot-admin script has a bug which caused that chroot could be mislabeled. You could upcomming http://people.redhat.com/atkac/bind/bind-9.3.4-4.5.fc6.src.rpm Regards, A (In reply to comment #4) > caused that chroot could be mislabeled. You could upcomming You could try upcomming .. :) Could be fixed in bind-9.3.4-5.fc6 |
Description of problem: sudo /sbin/service named restart causes an selinux denail on /dev/random Version-Release number of selected component (if applicable): bind-9.4.0-6.fc7 How reproducible: every time (fail to start on restart only) with NetworkManager running, and the system connected with dhcp, with also local zone files (for my vmware network) There may be 2 unrelated bugs here, I'll separate the NetworkManger issues if that is your advise. Steps to Reproduce: 1. sudo /sbin/service named start 2. sudo /sbin/service named restart 3. Actual results: SELinux warnings (note that SELinux is not enforcing on this box, so this should not have prevented the start) and Starting named: [FAILED] Expected results: Starting named: [ OK ] Additional info: selinux denial: type=AVC msg=audit(1178494085.489:49): avc: denied { getattr } for pid=4894 comm="named" name="random" dev=dm-0 ino=229380 2 scontext=user_u:system_r:named_t:s0 tcontext=system_u:object_r:named_conf_t:s0 tclass=chr_file type=SYSCALL msg=audit(1178494085.489:49): arch=40000003 syscall=195 success=yes exit=0 a0=b7f54068 a1=b7f4d0c8 a2=ce1ff4 a3= 3 items=0 ppid=4892 pid=4894 auid=500 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) comm="named" exe="/usr/sbin/named" subj=user_u:system_r:named_t:s0 key=(null) type=AVC_PATH msg=audit(1178494085.489:49): path="/dev/random" type=AVC msg=audit(1178494085.489:50): avc: denied { read } for pid=4894 comm="named" name="random" dev=dm-0 ino=2293802 s context=user_u:system_r:named_t:s0 tcontext=system_u:object_r:named_conf_t:s0 tclass=chr_file type=SYSCALL msg=audit(1178494085.489:50): arch=40000003 syscall=5 success=yes exit=9 a0=b7f54068 a1=800 a2=0 a3=b7f4e258 ite ms=0 ppid=4892 pid=4894 auid=500 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) comm="named" exe= "/usr/sbin/named" subj=user_u:system_r:named_t:s0 key=(null) log messages: May 7 09:49:08 localhost named[6389]: binding TCP socket: address in use May 7 09:49:08 localhost named[6389]: command channel listening on 127.0.0.1#953 May 7 09:49:08 localhost named[6389]: zone 0.in-addr.arpa/IN: loaded serial 42 May 7 09:49:08 localhost named[6389]: zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700 May 7 09:49:08 localhost named[6389]: zone 255.in-addr.arpa/IN: loaded serial 42 May 7 09:49:08 localhost named[6389]: zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 1997022700 May 7 09:49:08 localhost named[6389]: zone localdomain/IN: loaded serial 42 May 7 09:49:08 localhost named[6389]: zone localhost/IN: loaded serial 42 May 7 09:49:08 localhost named[6389]: zone fedora-ds.abartlet.net/IN: loaded serial 2007042413 May 7 09:49:08 localhost named[6389]: zone ruth.abartlet.net/IN: loaded serial 2007042200 May 7 09:49:08 localhost named[6389]: zone samba4.abartlet.net/IN: loaded serial 2007020100 May 7 09:49:08 localhost named[6389]: zone ruth.abartlet.net/IN: sending notifies (serial 2007042200) May 7 09:49:08 localhost named[6389]: zone samba4.abartlet.net/IN: sending notifies (serial 2007020100) May 7 09:49:08 localhost named[6389]: zone fedora-ds.abartlet.net/IN: sending notifies (serial 2007042413) May 7 09:49:08 localhost NetworkManager: <WARN> add_ip4_config_to_named(): Could not set forwarders for zone '.'. Error: ' Message did not receive a reply (timeout by message bus)'. May 7 09:28:07 localhost setroubleshoot: SELinux is preventing /usr/sbin/named (named_t) "getattr" to /dev/random (name d_conf_t). For complete SELinux messages. run sealert -l fdc4b1e1-ecec-4a45-a2dc-04382a81b540 May 7 09:28:07 localhost setroubleshoot: SELinux is preventing /usr/sbin/named (named_t) "read" to random (named_conf_t ). For complete SELinux messages. run sealert -l 946dc144-a5b9-416e-b7cf-a4305746d234