Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 430874 - AVC denial -- SELinux is preventing rndc(/usr/sbin/rndc) (ndc_t) "node_bind" to <Unknown> (inaddr_any_node_t).
AVC denial -- SELinux is preventing rndc(/usr/sbin/rndc) (ndc_t) "node_bind" ...
Product: Fedora
Classification: Fedora
Component: bind (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Adam Tkac
Fedora Extras Quality Assurance
: SELinux
Depends On:
  Show dependency treegraph
Reported: 2008-01-30 05:47 EST by Matěj Cepl
Modified: 2018-04-11 04:09 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-02-12 09:22:54 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Matěj Cepl 2008-01-30 05:47:45 EST
Description of problem:


SELinux is preventing rndc(/usr/sbin/rndc) (ndc_t) "node_bind" to <Unknown>

Detailed Description:

[SELinux in permissive mode, the operation would have been denied but was
permitted due to enforcing mode.]

SELinux denied access requested by rndc(/usr/sbin/rndc). It is not expected that
this access is required by rndc(/usr/sbin/rndc) and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:unconfined_r:ndc_t:SystemLow-
Target Context                system_u:object_r:inaddr_any_node_t
Target Objects                None [ tcp_socket ]
Source                        rndc(/usr/sbin/rndc)
Port                          <Unknown>
Host                          hubmaier.ceplovi.cz
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.2.5-19.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     hubmaier.ceplovi.cz
Platform                      Linux hubmaier.ceplovi.cz 2.6.24-2.fc9 #1 SMP Fri
                              Jan 25 12:52:32 EST 2008 x86_64 x86_64
Alert Count                   1
First Seen                    St 30. leden 2008, 11:45:08 CET
Last Seen                     St 30. leden 2008, 11:45:08 CET
Local ID                      a45f5428-6908-4536-8c49-d89d1eba0bf3
Line Numbers                  

Raw Audit Messages            

host=hubmaier.ceplovi.cz type=AVC msg=audit(1201689908.625:37): avc:  denied  {
node_bind } for  pid=3956 comm="rndc"
tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=tcp_socket

host=hubmaier.ceplovi.cz type=SYSCALL msg=audit(1201689908.625:37):
arch=c000003e syscall=49 success=yes exit=0 a0=14 a1=2aaaaacb2a00 a2=10 a3=0
items=0 ppid=3732 pid=3956 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts0 comm="rndc" exe="/usr/sbin/rndc"
subj=unconfined_u:unconfined_r:ndc_t:s0-s0:c0.c1023 key=(null)

Version-Release number of selected component (if applicable):

How reproducible:
happened once just after relabelling whole drive
Comment 1 Matěj Cepl 2008-01-30 05:49:30 EST
(In reply to comment #0)
> [SELinux in permissive mode, the operation would have been denied but was
> permitted due to enforcing mode.]

BTW, Dan, I am not a native English speaker, but this sentence seems weird to
me. It was really permitted due to enforcing mode?
Comment 2 Daniel Walsh 2008-01-31 10:31:51 EST
Fixed in selinux-policy-3.2.5-23.fc9
Comment 3 Adam Tkac 2008-02-12 09:22:54 EST
yes, problem is fixed now. (tested with selinux-policy-targeted-3.2.7-1.fc9)

Note You need to log in before you can comment on or make changes to this bug.