Bug 430874 - AVC denial -- SELinux is preventing rndc(/usr/sbin/rndc) (ndc_t) "node_bind" to <Unknown> (inaddr_any_node_t).
AVC denial -- SELinux is preventing rndc(/usr/sbin/rndc) (ndc_t) "node_bind" ...
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: bind (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Adam Tkac
Fedora Extras Quality Assurance
: SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-01-30 05:47 EST by Matěj Cepl
Modified: 2013-04-30 19:38 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-12 09:22:54 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matěj Cepl 2008-01-30 05:47:45 EST
Description of problem:

Summary:

SELinux is preventing rndc(/usr/sbin/rndc) (ndc_t) "node_bind" to <Unknown>
(inaddr_any_node_t).

Detailed Description:

[SELinux in permissive mode, the operation would have been denied but was
permitted due to enforcing mode.]

SELinux denied access requested by rndc(/usr/sbin/rndc). It is not expected that
this access is required by rndc(/usr/sbin/rndc) and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:unconfined_r:ndc_t:SystemLow-
                              SystemHigh
Target Context                system_u:object_r:inaddr_any_node_t
Target Objects                None [ tcp_socket ]
Source                        rndc(/usr/sbin/rndc)
Port                          <Unknown>
Host                          hubmaier.ceplovi.cz
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.2.5-19.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     hubmaier.ceplovi.cz
Platform                      Linux hubmaier.ceplovi.cz 2.6.24-2.fc9 #1 SMP Fri
                              Jan 25 12:52:32 EST 2008 x86_64 x86_64
Alert Count                   1
First Seen                    St 30. leden 2008, 11:45:08 CET
Last Seen                     St 30. leden 2008, 11:45:08 CET
Local ID                      a45f5428-6908-4536-8c49-d89d1eba0bf3
Line Numbers                  

Raw Audit Messages            

host=hubmaier.ceplovi.cz type=AVC msg=audit(1201689908.625:37): avc:  denied  {
node_bind } for  pid=3956 comm="rndc"
scontext=unconfined_u:unconfined_r:ndc_t:s0-s0:c0.c1023
tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=tcp_socket

host=hubmaier.ceplovi.cz type=SYSCALL msg=audit(1201689908.625:37):
arch=c000003e syscall=49 success=yes exit=0 a0=14 a1=2aaaaacb2a00 a2=10 a3=0
items=0 ppid=3732 pid=3956 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts0 comm="rndc" exe="/usr/sbin/rndc"
subj=unconfined_u:unconfined_r:ndc_t:s0-s0:c0.c1023 key=(null)


Version-Release number of selected component (if applicable):
bind-9.5.0-24.b1.fc9.x86_64
selinux-policy-targeted-3.2.5-19.fc9.noarch

How reproducible:
happened once just after relabelling whole drive
Comment 1 Matěj Cepl 2008-01-30 05:49:30 EST
(In reply to comment #0)
> [SELinux in permissive mode, the operation would have been denied but was
> permitted due to enforcing mode.]

BTW, Dan, I am not a native English speaker, but this sentence seems weird to
me. It was really permitted due to enforcing mode?
Comment 2 Daniel Walsh 2008-01-31 10:31:51 EST
Fixed in selinux-policy-3.2.5-23.fc9
Comment 3 Adam Tkac 2008-02-12 09:22:54 EST
yes, problem is fixed now. (tested with selinux-policy-targeted-3.2.7-1.fc9)

Note You need to log in before you can comment on or make changes to this bug.