Description of problem: nsd up to 4.1.23 uses a TLS mechanism to talk to its daemon. As of 4.1.24 it also supports a unix domain socket in /run/nsd/nsd.ctl. The daemon /usr/sbin/nsd needs to be able to create/delete it. It now shows: type=AVC msg=audit(1534181431.633:296959): avc: denied { create } for pid=14918 comm="nsd" name="nsd.ctl" scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file type=SYSCALL msg=audit(1534181431.633:296959): arch=x86_64 syscall=bind success=yes exit=0 a0=8 a1=7ffe897a0a00 a2=6e a3=8 items=0 ppid=1 pid=14918 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=nsd exe=/usr/sbin/nsd subj=system_u:system_r:nsd_t:s0 key=(null) Hash: nsd,nsd_t,var_run_t,sock_file,create type=AVC msg=audit(1534181431.634:296960): avc: denied { setattr } for pid=14918 comm="nsd" name="nsd.ctl" dev="tmpfs" ino=332978837 scontext=system_u:system_r:nsd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file Hash: nsd,nsd_t,var_run_t,sock_file,setattr
same would apply to epel
This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle. Changing version to '29'.
selinux-policy-3.14.2-34.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-db240a1726
selinux-policy-3.14.2-34.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.