Red Hat Bugzilla – Bug 430874
AVC denial -- SELinux is preventing rndc(/usr/sbin/rndc) (ndc_t) "node_bind" to <Unknown> (inaddr_any_node_t).
Last modified: 2018-04-11 04:09:13 EDT
Description of problem: Summary: SELinux is preventing rndc(/usr/sbin/rndc) (ndc_t) "node_bind" to <Unknown> (inaddr_any_node_t). Detailed Description: [SELinux in permissive mode, the operation would have been denied but was permitted due to enforcing mode.] SELinux denied access requested by rndc(/usr/sbin/rndc). It is not expected that this access is required by rndc(/usr/sbin/rndc) and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:unconfined_r:ndc_t:SystemLow- SystemHigh Target Context system_u:object_r:inaddr_any_node_t Target Objects None [ tcp_socket ] Source rndc(/usr/sbin/rndc) Port <Unknown> Host hubmaier.ceplovi.cz Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.2.5-19.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall Host Name hubmaier.ceplovi.cz Platform Linux hubmaier.ceplovi.cz 2.6.24-2.fc9 #1 SMP Fri Jan 25 12:52:32 EST 2008 x86_64 x86_64 Alert Count 1 First Seen St 30. leden 2008, 11:45:08 CET Last Seen St 30. leden 2008, 11:45:08 CET Local ID a45f5428-6908-4536-8c49-d89d1eba0bf3 Line Numbers Raw Audit Messages host=hubmaier.ceplovi.cz type=AVC msg=audit(1201689908.625:37): avc: denied { node_bind } for pid=3956 comm="rndc" scontext=unconfined_u:unconfined_r:ndc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=tcp_socket host=hubmaier.ceplovi.cz type=SYSCALL msg=audit(1201689908.625:37): arch=c000003e syscall=49 success=yes exit=0 a0=14 a1=2aaaaacb2a00 a2=10 a3=0 items=0 ppid=3732 pid=3956 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="rndc" exe="/usr/sbin/rndc" subj=unconfined_u:unconfined_r:ndc_t:s0-s0:c0.c1023 key=(null) Version-Release number of selected component (if applicable): bind-9.5.0-24.b1.fc9.x86_64 selinux-policy-targeted-3.2.5-19.fc9.noarch How reproducible: happened once just after relabelling whole drive
(In reply to comment #0) > [SELinux in permissive mode, the operation would have been denied but was > permitted due to enforcing mode.] BTW, Dan, I am not a native English speaker, but this sentence seems weird to me. It was really permitted due to enforcing mode?
Fixed in selinux-policy-3.2.5-23.fc9
yes, problem is fixed now. (tested with selinux-policy-targeted-3.2.7-1.fc9)