Description of problem: * the pdns service starts successfully but 1 SELinux denial is triggered Version-Release number of selected component (if applicable): pdns-4.2.1-4.fc32.x86_64 selinux-policy-3.14.5-28.fc32.noarch selinux-policy-targeted-3.14.5-28.fc32.noarch How reproducible: * always Steps to Reproduce: 1. get a Fedora 32 machine (targeted policy is active) 2. start the pdns service 3. search for SELinux denials Actual results: ---- type=PROCTITLE msg=audit(03/02/2020 06:40:35.405:361) : proctitle=/usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no type=MMAP msg=audit(03/02/2020 06:40:35.405:361) : fd=4 flags=MAP_PRIVATE type=SYSCALL msg=audit(03/02/2020 06:40:35.405:361) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0x230 a2=PROT_READ a3=MAP_PRIVATE items=0 ppid=1 pid=1492 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=pdns_server exe=/usr/sbin/pdns_server subj=system_u:system_r:pdns_t:s0 key=(null) type=AVC msg=audit(03/02/2020 06:40:35.405:361) : avc: denied { map } for pid=1492 comm=pdns_server path=/usr/share/p11-kit/modules/gnome-keyring.module dev="vda1" ino=175964 scontext=system_u:system_r:pdns_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0 ---- Expected results: * no SELinux denials
The only SELinux denial that appears in permissive mode: ---- type=PROCTITLE msg=audit(03/02/2020 06:50:01.317:370) : proctitle=/usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no type=MMAP msg=audit(03/02/2020 06:50:01.317:370) : fd=4 flags=MAP_PRIVATE type=SYSCALL msg=audit(03/02/2020 06:50:01.317:370) : arch=x86_64 syscall=mmap success=yes exit=140078803750912 a0=0x0 a1=0x230 a2=PROT_READ a3=MAP_PRIVATE items=0 ppid=1 pid=1560 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=pdns_server exe=/usr/sbin/pdns_server subj=system_u:system_r:pdns_t:s0 key=(null) type=AVC msg=audit(03/02/2020 06:50:01.317:370) : avc: denied { map } for pid=1560 comm=pdns_server path=/usr/share/p11-kit/modules/gnome-keyring.module dev="vda1" ino=175964 scontext=system_u:system_r:pdns_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 ----
It should be fixed in SELinux policy package. PR: https://github.com/fedora-selinux/selinux-policy-contrib/pull/212
*** Bug 1812540 has been marked as a duplicate of this bug. ***
commit 4434809ccf27e7b7d7d016fb82d34dad25581faf (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Richard Filo <rfilo> Date: Mon Mar 2 17:25:41 2020 +0100 Allow pdns_t domain to map files in /usr. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1809078
FEDORA-2020-ca2d9dda2d has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-ca2d9dda2d
selinux-policy-3.14.5-31.fc32 has been pushed to the Fedora 32 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-ca2d9dda2d
FEDORA-2020-ca2d9dda2d has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report.