Hide Forgot
Description of problem: Running NSD on centos-7 with selinux enabled doesn't work because writes to /tmp for the default xfr-dir setting are not allowed. Version-Release number of selected component (if applicable): nsd-4.1.7-3.el7.x86_64 How reproducible: Enable selinux, install NSD, start nsd Steps to Reproduce: 1. 2. 3. Actual results: Jan 12 11:47:05 mccmdns3.mccm.mcinfra.net systemd[1]: Starting NSD DNS Server... Jan 12 11:47:05 mccmdns3.mccm.mcinfra.net nsd[8185]: [2016-01-12 11:47:05.112] nsd[8185]: error: mkdir /tmp/nsd-xfr-8185 failed: Permission denied Jan 12 11:47:05 mccmdns3.mccm.mcinfra.net nsd[8185]: [2016-01-12 11:47:05.112] nsd[8185]: error: /tmp/nsd-xfr-8185/nsd.8185.task.0: No such file or directory Jan 12 11:47:05 mccmdns3.mccm.mcinfra.net systemd[1]: nsd.service: main process exited, code=exited, status=1/FAILURE And in audit.log: type=AVC msg=audit(1452525158.267:905): avc: denied { write } for pid=29920 comm="nsd" name="tmp" dev="dm-0" ino=138278 scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=AVC msg=audit(1452525158.267:905): avc: denied { add_name } for pid=29920 comm="nsd" name="nsd-xfr-29920" scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=AVC msg=audit(1452525158.267:905): avc: denied { create } for pid=29920 comm="nsd" name="nsd-xfr-29920" scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir Expected results: Additional info: I was able to get NSD running with the following local policy: policy_module(nsd-xfr, 1.0) require { type nsd_t; }; # temp files type nsd_tmp_t; files_tmp_file(nsd_tmp_t) # Allow nsd to create and use temp files and dirs manage_dirs_pattern(nsd_t, nsd_tmp_t, nsd_tmp_t) manage_files_pattern(nsd_t, nsd_tmp_t, nsd_tmp_t) files_tmp_filetrans(nsd_t, nsd_tmp_t, { file dir })
It seems to me that this is a selinux policy bug.
We have fixes in the latest RHEL. You can go with the local policy for now. Thank you.