Hide Forgot
Description of problem: Red Hat Enterprise Linux ship selinux-policy-targeted package wich have "nsd" selinux policy module. This module work fine for NSD version 3. But not for NSD version 4. use NSD dns software (http://www.nlnetlabs.nl/projects/nsd/) When trying to start daemon it fails Please, update nsd selinux policy module to support nsd-4 which ships from EPEL (nsd-4.1.7) # systemctl start nsd # systemctl status nsd ● nsd.service - NSD DNS Server Loaded: loaded (/usr/lib/systemd/system/nsd.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2016-01-27 16:05:23 MSK; 3s ago Process: 14770 ExecStopPost=/bin/rm -f /var/lib/nsd/xfrd.state (code=exited, status=0/SUCCESS) Process: 14768 ExecStart=/usr/sbin/nsd -d -c /etc/nsd/nsd.conf $NSD_EXTRA_OPTS (code=exited, status=1/FAILURE) Main PID: 14768 (code=exited, status=1/FAILURE) # semodule -vl|grep nsd nsd 1.8.0 # grep denied /var/log/audit/audit.log|grep nsd|audit2allow #============= nsd_t ============== allow nsd_t self:capability net_admin; allow nsd_t tmp_t:dir { write create add_name }; allow nsd_t tmp_t:file { write create open }; #!!!! This avc can be allowed using the boolean 'nis_enabled' allow nsd_t unreserved_port_t:tcp_socket name_bind; Version-Release number of selected component (if applicable): How reproducible: Everytime Steps to Reproduce: 1.Install nsd from EPEL 2. # systemctl start nsd # systemctl status nsd ● nsd.service - NSD DNS Server Loaded: loaded (/usr/lib/systemd/system/nsd.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2016-01-27 16:05:23 MSK; 3s ago Process: 14770 ExecStopPost=/bin/rm -f /var/lib/nsd/xfrd.state (code=exited, status=0/SUCCESS) Process: 14768 ExecStart=/usr/sbin/nsd -d -c /etc/nsd/nsd.conf $NSD_EXTRA_OPTS (code=exited, status=1/FAILURE) Main PID: 14768 (code=exited, status=1/FAILURE) Actual results: Unable to start Expected results: Should start Additional info: $ more audit.log | grep 1453899923 type=AVC msg=audit(1453899923.514:191346): avc: denied { net_admin } for pid=14768 comm="nsd" capability=12 scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:system_r:nsd_t:s0 tclass=capability type=AVC msg=audit(1453899923.514:191347): avc: denied { net_admin } for pid=14768 comm="nsd" capability=12 scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:system_r:nsd_t:s0 tclass=capability type=AVC msg=audit(1453899923.514:191348): avc: denied { net_admin } for pid=14768 comm="nsd" capability=12 scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:system_r:nsd_t:s0 tclass=capability type=AVC msg=audit(1453899923.514:191349): avc: denied { net_admin } for pid=14768 comm="nsd" capability=12 scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:system_r:nsd_t:s0 tclass=capability type=AVC msg=audit(1453899923.516:191350): avc: denied { name_bind } for pid=14768 comm="nsd" src=8952 scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
I believe that this bug is a duplicate of BZ#1293140.
*** This bug has been marked as a duplicate of bug 1293140 ***