Created attachment 1101144 [details] Raw audit AVC Description of problem: "Standard" named runs confined while named-pkcs11 (required by freeipa) runs unconfined. Version-Release number of selected component (if applicable): bind-9.10.2-6.P4.fc22.x86_64 selinux-policy-3.13.1-128.21.fc22.noarch selinux-policy-targeted-3.13.1-128.21.fc22.noarch freeipa-client-4.2.3-1.fc22.x86_64 freeipa-server-dns-4.2.3-1.fc22.x86_64 freeipa-admintools-4.2.3-1.fc22.x86_64 freeipa-python-4.2.3-1.fc22.x86_64 freeipa-server-4.2.3-1.fc22.x86_64 (https://copr.fedoraproject.org/coprs/mkosek/freeipa-4.2/) How reproducible: Always. Steps to Reproduce: 1. Install bind-pkcs11 and start named-pkcs11.service 2. ps -efZ | grep named Actual results: system_u:system_r:unconfined_service_t:s0 named 901 1 0 12:24 ? 00:00:00 /usr/sbin/named-pkcs11 -u named Expected results: system_u:system_r:named_t:s0 named 2607 1 0 23:06 ? 00:00:00 /usr/sbin/named-pkcs11 -u named Additional info: Tried the "standard" policy but it will need work. chcon -t named_exec_t /usr/sbin/named-pkcs11 setenforce 0 systemctl restart named-pkcs11 ps -efZ | grep named (see expected, above) grep named-pkcs11 /var/log/audit/audit.log | audit2allow #============= named_t ============== #!!!! This avc can be allowed using the boolean 'named_tcp_bind_http_port' allow named_t http_port_t:tcp_socket name_bind; allow named_t ipa_var_lib_t:dir read; allow named_t ipa_var_lib_t:file { read write getattr open lock }; named-pkcs11 listens on 127.0.0.1:488 (gss-http). File access AVC relate to /var/lib/ipa/dnssec/tokens/... Attached: grep named-pkcs11 /var/log/audit/audit.log | grep avc
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.