Bug 507102
| Summary: | SELinux is preventing rndc (ndc_t) "read" security_t. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Dave Jones <davej> |
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 11 | CC: | goeran, joe, pfrields |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-08-25 16:16:30 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Summary: SELinux is preventing rndc (ndc_t) "read" security_t. Detailed Description: SELinux denied access requested by rndc. It is not expected that this access is required by rndc and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:ndc_t:s0 Target Context system_u:object_r:security_t:s0 Target Objects mls [ file ] Source rndc Source Path /usr/sbin/rndc Port <Unknown> Host localhost.localdomain Source RPM Packages bind-9.6.1-0.4.rc1.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.12-50.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.29.4-167.fc11.x86_64 #1 SMP Wed May 27 17:27:08 EDT 2009 x86_64 x86_64 Alert Count 1 First Seen Sun 21 Jun 2009 02:19:02 PM PDT Last Seen Sun 21 Jun 2009 02:19:02 PM PDT Local ID 9f96050b-072f-4169-a7f8-a4c52d785015 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1245619142.558:29): avc: denied { read } for pid=2982 comm="rndc" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:ndc_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1245619142.558:29): arch=c000003e syscall=2 success=no exit=319668184 a0=7fffc8a24c10 a1=0 a2=7fffc8a24c1c a3=fffffff8 items=0 ppid=2978 pid=2982 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="rndc" exe="/usr/sbin/rndc" subj=system_u:system_r:ndc_t:s0 key=(null) You can add these rules now using # grep avc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Fixed in selinux-policy-3.6.12-57.fc11 Works fine for me with selinux-policy-3.6.12-78.fc11.noarch (without any local policy). |
node=gelk type=AVC msg=audit(1245532167.562:22): avc: denied { read } for pid=3011 comm="rndc" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file node=gelk type=AVC msg=audit(1245532167.562:22): avc: denied { open } for pid=3011 comm="rndc" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file node=gelk type=SYSCALL msg=audit(1245532167.562:22): arch=c000003e syscall=2 success=yes exit=3 a0=7fff15b169f0 a1=0 a2=7fff15b169fc a3=fffffff8 items=0 ppid=3008 pid=3011 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="rndc" exe="/usr/sbin/rndc" subj=unconfined_u:system_r:ndc_t:s0 key=(null)