Bug 1130510 - SELinux is preventing /usr/sbin/unbound-control from 'read' accesses on the file .
Summary: SELinux is preventing /usr/sbin/unbound-control from 'read' accesses on the f...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 20
Hardware: x86_64
OS: Unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
Whiteboard: abrt_hash:82b2d22f42f8ae0005662ace0d9...
Depends On:
TreeView+ depends on / blocked
Reported: 2014-08-15 12:55 UTC by Moez Roy
Modified: 2014-09-09 22:24 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.12.1-183.fc20
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-09-09 22:24:15 UTC

Attachments (Terms of Use)

Description Moez Roy 2014-08-15 12:55:43 UTC
Description of problem:
SELinux is preventing /usr/sbin/unbound-control from 'read' accesses on the file .

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that unbound-control should be allowed read access on the  file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep unbound-control /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:initrc_t:s0
Target Context                system_u:object_r:dnssec_t:s0
Target Objects                 [ file ]
Source                        unbound-control
Source Path                   /usr/sbin/unbound-control
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           unbound-1.4.21-3.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-179.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.15.9-200.fc20.x86_64 #1 SMP Sat
                              Aug 9 09:02:55 UTC 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-08-15 05:29:11 PDT
Last Seen                     2014-08-15 05:29:11 PDT
Local ID                      523afdcd-8009-4cac-8f67-b9689c770e85

Raw Audit Messages
type=AVC msg=audit(1408105751.460:1049): avc:  denied  { read } for  pid=5439 comm="unbound-control" name="unbound_control.key" dev="dm-0" ino=517649 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:dnssec_t:s0 tclass=file

type=AVC msg=audit(1408105751.460:1049): avc:  denied  { open } for  pid=5439 comm="unbound-control" path="/etc/unbound/unbound_control.key" dev="dm-0" ino=517649 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:dnssec_t:s0 tclass=file

type=SYSCALL msg=audit(1408105751.460:1049): arch=x86_64 syscall=open success=yes exit=ESRCH a0=7ff1a9ba68f0 a1=0 a2=1b6 a3=0 items=0 ppid=5436 pid=5439 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=unbound-control exe=/usr/sbin/unbound-control subj=system_u:system_r:initrc_t:s0 key=(null)

Hash: unbound-control,initrc_t,dnssec_t,file,read

Additional info:
reporter:       libreport-2.2.3
hashmarkername: setroubleshoot
kernel:         3.15.9-200.fc20.x86_64
type:           libreport

Comment 1 Daniel Walsh 2014-08-15 15:45:24 UTC
One option would be to label this executable as named_exec_t, or just allow initrc_t to access this file.

Comment 2 Lukas Vrabec 2014-09-03 14:45:32 UTC
commit 8bf5fdf03491e807e20bc2f641747cb78b75732e
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Wed Sep 3 16:38:42 2014 +0200

    Label /usr/sbin/unbound-control as named_exec_t (#1130510)


Comment 3 Fedora Update System 2014-09-04 11:33:58 UTC
selinux-policy-3.12.1-183.fc20 has been submitted as an update for Fedora 20.

Comment 4 Fedora Update System 2014-09-09 22:24:15 UTC
selinux-policy-3.12.1-183.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.