Bug 896599

Summary: SELinux is preventing /usr/sbin/unbound-anchor from 'remove_name' accesses on the directory root.anchor.9143-0.
Product: [Fedora] Fedora Reporter: Martin <mholec>
Component: unboundAssignee: Paul Wouters <pwouters>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: alan.christopher.jenkins, atkac, D8F55524, dominick.grift, dwalsh, mgrepl, pwouters, thozza, tpelka
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:2eb2163127bfdd45f2d83b7ca209ef09f3a026c1d7613c02325e8943709c9428
Fixed In Version: unbound-1.4.21-1.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-11 11:55:19 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Martin 2013-01-17 10:28:53 EST
Description of problem:
Upgrade from F18 to F19 (Rawhide).
SELinux is preventing /usr/sbin/unbound-anchor from 'remove_name' accesses on the directory root.anchor.9143-0.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that unbound-anchor should be allowed remove_name access on the root.anchor.9143-0 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep unbound-anchor /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:named_t:s0
Target Context                system_u:object_r:named_conf_t:s0
Target Objects                root.anchor.9143-0 [ dir ]
Source                        unbound-anchor
Source Path                   /usr/sbin/unbound-anchor
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           unbound-libs-1.4.19-1.fc18.x86_64 unbound-
                              libs-1.4.19-3.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-67.fc18.noarch selinux-
                              policy-3.12.1-4.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.6.11-3.fc18.x86_64 #1 SMP Mon
                              Dec 17 21:35:39 UTC 2012 x86_64 x86_64
Alert Count                   1
First Seen                    2013-01-17 16:18:33 CET
Last Seen                     2013-01-17 16:18:33 CET
Local ID                      9fa04071-fde5-42cb-ba81-ac3757a36fef

Raw Audit Messages
type=AVC msg=audit(1358435913.592:440): avc:  denied  { remove_name } for  pid=9143 comm="unbound-anchor" name="root.anchor.9143-0" dev="dm-3" ino=522349 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_conf_t:s0 tclass=dir


type=AVC msg=audit(1358435913.592:440): avc:  denied  { rename } for  pid=9143 comm="unbound-anchor" name="root.anchor.9143-0" dev="dm-3" ino=522349 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_conf_t:s0 tclass=file


type=AVC msg=audit(1358435913.592:440): avc:  denied  { unlink } for  pid=9143 comm="unbound-anchor" name="root.anchor" dev="dm-3" ino=541679 scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:named_conf_t:s0 tclass=file


type=SYSCALL msg=audit(1358435913.592:440): arch=x86_64 syscall=rename success=yes exit=0 a0=7fff679f6d10 a1=e10ea0 a2=e10ea0 a3=7fff679f6a70 items=0 ppid=1 pid=9143 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=unbound-anchor exe=/usr/sbin/unbound-anchor subj=system_u:system_r:named_t:s0 key=(null)

Hash: unbound-anchor,named_t,named_conf_t,dir,remove_name

audit2allow

#============= named_t ==============
allow named_t named_conf_t:dir remove_name;
allow named_t named_conf_t:file { rename unlink };

audit2allow -R

#============= named_t ==============
allow named_t named_conf_t:dir remove_name;
allow named_t named_conf_t:file { rename unlink };


Additional info:
hashmarkername: setroubleshoot
kernel:         3.6.11-3.fc18.x86_64
type:           libreport
Comment 1 Martin 2013-01-17 10:30:12 EST
Upgrade from F18 to F19 (Rawhide).

Package: (null)
OS Release: Fedora release 19 (Rawhide)
Comment 2 Miroslav Grepl 2013-01-17 17:13:12 EST
*** Bug 896601 has been marked as a duplicate of this bug. ***
Comment 3 Miroslav Grepl 2013-01-17 17:16:28 EST
Could it be moved to /var/lib/unbound?

Basically we label /etc/unbound dir as named_conf_t which is read only type.
Comment 4 Adam Tkac 2013-01-18 06:57:04 EST
Reassigning to unbound, IIRC this was discussed two weeks ago
Comment 5 Alan Jenkins 2013-01-28 12:12:25 EST
*** Bug 905147 has been marked as a duplicate of this bug. ***
Comment 6 Alan Jenkins 2013-01-28 12:18:03 EST
This happened to me after an upgrade _to_ F18 (see duplicate above).
Comment 7 Paul Wouters 2013-01-28 14:10:59 EST
we're about to release an update for this
Comment 8 Seb L. 2013-02-01 10:03:24 EST
Stock unbound won't start with SELinux enabled

Package: (null)
OS Release: Fedora release 18 (Spherical Cow)
Comment 9 Fedora End Of Life 2013-04-03 15:41:30 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19
Comment 10 Paul Wouters 2013-04-11 11:55:19 EDT

*** This bug has been marked as a duplicate of bug 891008 ***
Comment 11 Fedora Update System 2013-04-16 12:58:37 EDT
unbound-1.4.20-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/unbound-1.4.20-1.el6
Comment 12 Fedora Update System 2013-04-16 23:04:41 EDT
unbound-1.4.20-6.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/unbound-1.4.20-6.fc19
Comment 13 Fedora Update System 2013-04-17 00:24:04 EDT
unbound-1.4.20-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/unbound-1.4.20-1.fc18
Comment 14 Fedora Update System 2013-04-19 11:01:10 EDT
unbound-1.4.20-7.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/unbound-1.4.20-7.fc19
Comment 15 Fedora Update System 2013-06-01 00:07:35 EDT
unbound-1.4.20-3.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/unbound-1.4.20-3.fc18
Comment 16 Fedora Update System 2013-06-11 05:07:00 EDT
unbound-1.4.20-3.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2013-09-19 13:17:40 EDT
unbound-1.4.21-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/unbound-1.4.21-1.el6
Comment 18 Fedora Update System 2013-10-10 14:33:13 EDT
unbound-1.4.21-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.