Bug 430874 - AVC denial -- SELinux is preventing rndc(/usr/sbin/rndc) (ndc_t) "node_bind" to <Unknown> (inaddr_any_node_t).
Summary: AVC denial -- SELinux is preventing rndc(/usr/sbin/rndc) (ndc_t) "node_bind" ...
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: bind (Show other bugs)
(Show other bugs)
Version: rawhide
Hardware: All Linux
low
low
Target Milestone: ---
Assignee: Adam Tkac
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords: SELinux
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-01-30 10:47 UTC by Matěj Cepl
Modified: 2018-04-11 08:09 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-12 14:22:54 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Matěj Cepl 2008-01-30 10:47:45 UTC 
Description of problem:

Summary:

SELinux is preventing rndc(/usr/sbin/rndc) (ndc_t) "node_bind" to <Unknown>
(inaddr_any_node_t).

Detailed Description:

[SELinux in permissive mode, the operation would have been denied but was
permitted due to enforcing mode.]

SELinux denied access requested by rndc(/usr/sbin/rndc). It is not expected that
this access is required by rndc(/usr/sbin/rndc) and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:unconfined_r:ndc_t:SystemLow-
                              SystemHigh
Target Context                system_u:object_r:inaddr_any_node_t
Target Objects                None [ tcp_socket ]
Source                        rndc(/usr/sbin/rndc)
Port                          <Unknown>
Host                          hubmaier.ceplovi.cz
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.2.5-19.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     hubmaier.ceplovi.cz
Platform                      Linux hubmaier.ceplovi.cz 2.6.24-2.fc9 #1 SMP Fri
                              Jan 25 12:52:32 EST 2008 x86_64 x86_64
Alert Count                   1
First Seen                    St 30. leden 2008, 11:45:08 CET
Last Seen                     St 30. leden 2008, 11:45:08 CET
Local ID                      a45f5428-6908-4536-8c49-d89d1eba0bf3
Line Numbers                  

Raw Audit Messages            

host=hubmaier.ceplovi.cz type=AVC msg=audit(1201689908.625:37): avc:  denied  {
node_bind } for  pid=3956 comm="rndc"
scontext=unconfined_u:unconfined_r:ndc_t:s0-s0:c0.c1023
tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=tcp_socket

host=hubmaier.ceplovi.cz type=SYSCALL msg=audit(1201689908.625:37):
arch=c000003e syscall=49 success=yes exit=0 a0=14 a1=2aaaaacb2a00 a2=10 a3=0
items=0 ppid=3732 pid=3956 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts0 comm="rndc" exe="/usr/sbin/rndc"
subj=unconfined_u:unconfined_r:ndc_t:s0-s0:c0.c1023 key=(null)


Version-Release number of selected component (if applicable):
bind-9.5.0-24.b1.fc9.x86_64
selinux-policy-targeted-3.2.5-19.fc9.noarch

How reproducible:
happened once just after relabelling whole drive
Comment 1 Matěj Cepl 2008-01-30 10:49:30 UTC 
(In reply to comment #0)
> [SELinux in permissive mode, the operation would have been denied but was
> permitted due to enforcing mode.]

BTW, Dan, I am not a native English speaker, but this sentence seems weird to
me. It was really permitted due to enforcing mode?
Comment 2 Daniel Walsh 2008-01-31 15:31:51 UTC 
Fixed in selinux-policy-3.2.5-23.fc9
Comment 3 Adam Tkac 2008-02-12 14:22:54 UTC 
yes, problem is fixed now. (tested with selinux-policy-targeted-3.2.7-1.fc9)
Note You need to log in before you can comment on or make changes to this bug.