Bug 249663

Summary: Update of bind causes SElinux avc denied on named, pipe issue
Product: Red Hat Enterprise Linux 4 Reporter: Peter Bieringer <pb>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: 4.0CC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-07-26 11:11:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Peter Bieringer 2007-07-26 09:27:23 UTC 
Description of problem:
After upgrading to newest bind version yesterday triggers avc denied messages

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.145
(upgraded to) bind-9.2.4-27.0.1.el4

How reproducible:
After upgrade, detected on 2 systems by logwatch.

Steps to Reproduce:
Probably down and re-upgrade bind version

Actual results:

Jul 25 16:23:41 server kernel: audit(1185373421.023:11): avc:  denied  { read }
for  pid=10357 comm="named" name="[2930654]" dev=pipefs ino=2930654
scontext=root:system_r:named_t tcontext=root:system_r:unconfined_t tclass=fifo_file
Jul 25 16:23:41 server named[10358]: starting BIND 9.2.4 -u named -t
/var/named/chroot

Expected results:
No such messages

Additional info:
System is running in enforcement mode

# lsof | grep named | grep pipe
named     21248   named    5r     FIFO        0,7             3032409 pipe
named     21248   named    7w     FIFO        0,7             3032409 pipe

Impact: unknown, named looks like working.
Comment 1 Daniel Walsh 2007-07-26 11:11:05 UTC 
These can be ignored.  Usually this is a leaked file descriptor that SELinux is
just closing.  As long as the daemon functions properly.  We will not fix.