Bug 249663 - Update of bind causes SElinux avc denied on named, pipe issue
Update of bind causes SElinux avc denied on named, pipe issue
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2007-07-26 05:27 EDT by Peter Bieringer
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-07-26 07:11:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Peter Bieringer 2007-07-26 05:27:23 EDT
Description of problem:
After upgrading to newest bind version yesterday triggers avc denied messages

Version-Release number of selected component (if applicable):
(upgraded to) bind-9.2.4-27.0.1.el4

How reproducible:
After upgrade, detected on 2 systems by logwatch.

Steps to Reproduce:
Probably down and re-upgrade bind version

Actual results:

Jul 25 16:23:41 server kernel: audit(1185373421.023:11): avc:  denied  { read }
for  pid=10357 comm="named" name="[2930654]" dev=pipefs ino=2930654
scontext=root:system_r:named_t tcontext=root:system_r:unconfined_t tclass=fifo_file
Jul 25 16:23:41 server named[10358]: starting BIND 9.2.4 -u named -t

Expected results:
No such messages

Additional info:
System is running in enforcement mode

# lsof | grep named | grep pipe
named     21248   named    5r     FIFO        0,7             3032409 pipe
named     21248   named    7w     FIFO        0,7             3032409 pipe

Impact: unknown, named looks like working.
Comment 1 Daniel Walsh 2007-07-26 07:11:05 EDT
These can be ignored.  Usually this is a leaked file descriptor that SELinux is
just closing.  As long as the daemon functions properly.  We will not fix.

Note You need to log in before you can comment on or make changes to this bug.