Bug 430874

Summary: AVC denial -- SELinux is preventing rndc(/usr/sbin/rndc) (ndc_t) "node_bind" to <Unknown> (inaddr_any_node_t).
Product: [Fedora] Fedora Reporter: Matěj Cepl <mcepl>
Component: bindAssignee: Adam Tkac <atkac>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: dwalsh, mcepl, ovasik
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-02-12 14:22:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Matěj Cepl 2008-01-30 10:47:45 UTC
Description of problem:


SELinux is preventing rndc(/usr/sbin/rndc) (ndc_t) "node_bind" to <Unknown>

Detailed Description:

[SELinux in permissive mode, the operation would have been denied but was
permitted due to enforcing mode.]

SELinux denied access requested by rndc(/usr/sbin/rndc). It is not expected that
this access is required by rndc(/usr/sbin/rndc) and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:unconfined_r:ndc_t:SystemLow-
Target Context                system_u:object_r:inaddr_any_node_t
Target Objects                None [ tcp_socket ]
Source                        rndc(/usr/sbin/rndc)
Port                          <Unknown>
Host                          hubmaier.ceplovi.cz
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.2.5-19.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     hubmaier.ceplovi.cz
Platform                      Linux hubmaier.ceplovi.cz 2.6.24-2.fc9 #1 SMP Fri
                              Jan 25 12:52:32 EST 2008 x86_64 x86_64
Alert Count                   1
First Seen                    St 30. leden 2008, 11:45:08 CET
Last Seen                     St 30. leden 2008, 11:45:08 CET
Local ID                      a45f5428-6908-4536-8c49-d89d1eba0bf3
Line Numbers                  

Raw Audit Messages            

host=hubmaier.ceplovi.cz type=AVC msg=audit(1201689908.625:37): avc:  denied  {
node_bind } for  pid=3956 comm="rndc"
tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=tcp_socket

host=hubmaier.ceplovi.cz type=SYSCALL msg=audit(1201689908.625:37):
arch=c000003e syscall=49 success=yes exit=0 a0=14 a1=2aaaaacb2a00 a2=10 a3=0
items=0 ppid=3732 pid=3956 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts0 comm="rndc" exe="/usr/sbin/rndc"
subj=unconfined_u:unconfined_r:ndc_t:s0-s0:c0.c1023 key=(null)

Version-Release number of selected component (if applicable):

How reproducible:
happened once just after relabelling whole drive

Comment 1 Matěj Cepl 2008-01-30 10:49:30 UTC
(In reply to comment #0)
> [SELinux in permissive mode, the operation would have been denied but was
> permitted due to enforcing mode.]

BTW, Dan, I am not a native English speaker, but this sentence seems weird to
me. It was really permitted due to enforcing mode?

Comment 2 Daniel Walsh 2008-01-31 15:31:51 UTC
Fixed in selinux-policy-3.2.5-23.fc9

Comment 3 Adam Tkac 2008-02-12 14:22:54 UTC
yes, problem is fixed now. (tested with selinux-policy-targeted-3.2.7-1.fc9)