Bug 1317293 - SELinux is preventing unbound from using the 'net_raw' capabilities.
SELinux is preventing unbound from using the 'net_raw' capabilities.
Status: NEW
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
27
x86_64 Unspecified
medium Severity medium
: ---
: ---
Assigned To: Lukas Vrabec
Ben Levenson
abrt_hash:6913d7e4cad3d09a98d6ed05f28...
:
: 1350020 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-03-13 16:12 EDT by Christian Stadelmann
Modified: 2017-08-15 04:55 EDT (History)
17 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Christian Stadelmann 2016-03-13 16:12:34 EDT
Description of problem:
SELinux is preventing unbound from using the 'net_raw' capabilities.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that unbound should have the net_raw capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep unbound /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:named_t:s0
Target Context                system_u:system_r:named_t:s0
Target Objects                Unknown [ capability ]
Source                        unbound
Source Path                   unbound
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-178.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.5.0-0.rc7.git0.2.fc24.x86_64 #1
                              SMP Tue Mar 8 02:20:08 UTC 2016 x86_64 x86_64
Alert Count                   18
First Seen                    2016-03-12 22:47:06 CET
Last Seen                     2016-03-13 21:01:24 CET
Local ID                      5e942a7e-1162-4606-8491-e337ab739c20

Raw Audit Messages
type=AVC msg=audit(1457899284.573:178): avc:  denied  { net_raw } for  pid=1083 comm="unbound" capability=13  scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:named_t:s0 tclass=capability permissive=0


Hash: unbound,named_t,named_t,capability,net_raw

Version-Release number of selected component:
selinux-policy-3.13.1-178.fc24.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.5.0-0.rc7.git0.2.fc24.x86_64
type:           libreport

Potential duplicate: bug 1312718
Comment 1 Luke Macken 2016-06-08 13:17:02 EDT
Description of problem:
I logged into my `bitlbee` account, and this was triggered.

Version-Release number of selected component:
selinux-policy-3.13.1-190.fc24.noarch

Additional info:
reporter:       libreport-2.7.1
hashmarkername: setroubleshoot
kernel:         4.5.6-300.fc24.x86_64
reproducible:   Not sure how to reproduce the problem
type:           libreport
Comment 2 linuxqwert 2016-06-24 16:42:38 EDT
*** Bug 1350020 has been marked as a duplicate of this bug. ***
Comment 3 Michał 2016-07-28 11:36:05 EDT
Description of problem:
Restarting and starting unbound makes sealert... It shouldn't, because i'm using it with dnssec-trigger, and i changed absolutely nothing in configs...

Version-Release number of selected component:
selinux-policy-3.13.1-191.5.fc24.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.6.4-301.fc24.x86_64
type:           libreport
Comment 4 Sakari A. Maaranen 2016-08-10 10:15:19 EDT
Description of problem:
dnssec-trigger (and unbound as its dependency) were uninstalled and then re-installed on Fedora 24.
SELinux alerted that unbound needs net_raw access.


Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.6.4-301.fc24.x86_64
type:           libreport
Comment 5 Dominik 'Rathann' Mierzejewski 2016-08-17 02:13:06 EDT
Description of problem:
This SELinux alert happens every time I wake up my laptop from suspend.

$ rpm -q dnssec-trigger unbound selinux-policy
dnssec-trigger-0.13-0.4.20150714svn.fc24.x86_64
unbound-1.5.8-2.fc24.x86_64
selinux-policy-3.13.1-191.10.fc24.noarch

Version-Release number of selected component:
selinux-policy-3.13.1-191.10.fc24.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.6.6-300.fc24.x86_64
type:           libreport
Comment 6 Dominik 'Rathann' Mierzejewski 2016-08-20 16:46:04 EDT
Description of problem:
Reconnect to wifi after resuming from suspend.

Version-Release number of selected component:
selinux-policy-3.13.1-191.10.fc24.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.6.6-300.fc24.x86_64
type:           libreport
Comment 7 Wolfgang Rupprecht 2016-09-04 14:50:39 EDT
Description of problem:
This happened under normal operation.  Config file available upon request.

Version-Release number of selected component:
selinux-policy-3.13.1-191.14.fc24.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.7.2-201.fc24.x86_64
type:           libreport
Comment 8 Mike Bursell 2016-09-05 11:43:06 EDT
Duplicate of 1312718?
Comment 9 Laurent Rineau 2016-09-16 08:02:12 EDT
Description of problem:
The AVC was emitted during the boot sequence.

Version-Release number of selected component:
selinux-policy-3.13.1-191.16.fc24.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.7.3-200.fc24.x86_64
type:           libreport
Comment 10 Laurent Rineau 2016-09-16 08:04:44 EDT
#1312718 is similar but reported against F23. The current one is against F24.
Comment 11 Laurent Rineau 2016-09-20 10:03:08 EDT
Description of problem:
The error occured at boot.

Version-Release number of selected component:
selinux-policy-3.13.1-191.16.fc24.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.7.3-200.fc24.x86_64
type:           libreport
Comment 12 Laurent Rineau 2016-09-22 08:30:15 EDT
Description of problem:
The AVC occured at boot.

Version-Release number of selected component:
selinux-policy-3.13.1-191.16.fc24.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.7.3-200.fc24.x86_64
type:           libreport
Comment 13 Krist van Besien 2016-09-26 07:42:44 EDT
Description of problem:
I reestarted unbound. This alert popped up. I suppose this might also be the reason why DNS resolution has been slow and erratic since I enabled unbound.


Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.7.3-200.fc24.x86_64
type:           libreport
Comment 14 Fedora Admin XMLRPC Client 2016-09-27 11:05:39 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 15 Fedora End Of Life 2017-07-25 16:19:04 EDT
This message is a reminder that Fedora 24 is nearing its end of life.
Approximately 2 (two) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 24. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '24'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 24 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
Comment 16 Dominik 'Rathann' Mierzejewski 2017-07-30 08:38:41 EDT
Bumping to rawhide.
Comment 17 Jan Kurik 2017-08-15 04:55:10 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.

Note You need to log in before you can comment on or make changes to this bug.