Bug 249663 - Update of bind causes SElinux avc denied on named, pipe issue
Summary: Update of bind causes SElinux avc denied on named, pipe issue
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted
Version: 4.0
Hardware: All
OS: Linux
low
low
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-07-26 09:27 UTC by Peter Bieringer
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-07-26 11:11:05 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Peter Bieringer 2007-07-26 09:27:23 UTC 
Description of problem:
After upgrading to newest bind version yesterday triggers avc denied messages

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.145
(upgraded to) bind-9.2.4-27.0.1.el4

How reproducible:
After upgrade, detected on 2 systems by logwatch.

Steps to Reproduce:
Probably down and re-upgrade bind version

Actual results:

Jul 25 16:23:41 server kernel: audit(1185373421.023:11): avc:  denied  { read }
for  pid=10357 comm="named" name="[2930654]" dev=pipefs ino=2930654
scontext=root:system_r:named_t tcontext=root:system_r:unconfined_t tclass=fifo_file
Jul 25 16:23:41 server named[10358]: starting BIND 9.2.4 -u named -t
/var/named/chroot

Expected results:
No such messages

Additional info:
System is running in enforcement mode

# lsof | grep named | grep pipe
named     21248   named    5r     FIFO        0,7             3032409 pipe
named     21248   named    7w     FIFO        0,7             3032409 pipe

Impact: unknown, named looks like working.
Comment 1 Daniel Walsh 2007-07-26 11:11:05 UTC 
These can be ignored.  Usually this is a leaked file descriptor that SELinux is
just closing.  As long as the daemon functions properly.  We will not fix.
Note You need to log in before you can comment on or make changes to this bug.