Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 430874 - AVC denial -- SELinux is preventing rndc(/usr/sbin/rndc) (ndc_t) "node_bind" to <Unknown> (inaddr_any_node_t).
AVC denial -- SELinux is preventing rndc(/usr/sbin/rndc) (ndc_t) "node_bind" ...
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: bind (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Adam Tkac
Fedora Extras Quality Assurance
: SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-01-30 05:47 EST by Matěj Cepl
Modified: 2018-04-11 04:09 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-12 09:22:54 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Matěj Cepl 2008-01-30 05:47:45 EST 
Description of problem:

Summary:

SELinux is preventing rndc(/usr/sbin/rndc) (ndc_t) "node_bind" to <Unknown>
(inaddr_any_node_t).

Detailed Description:

[SELinux in permissive mode, the operation would have been denied but was
permitted due to enforcing mode.]

SELinux denied access requested by rndc(/usr/sbin/rndc). It is not expected that
this access is required by rndc(/usr/sbin/rndc) and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:unconfined_r:ndc_t:SystemLow-
                              SystemHigh
Target Context                system_u:object_r:inaddr_any_node_t
Target Objects                None [ tcp_socket ]
Source                        rndc(/usr/sbin/rndc)
Port                          <Unknown>
Host                          hubmaier.ceplovi.cz
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.2.5-19.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     hubmaier.ceplovi.cz
Platform                      Linux hubmaier.ceplovi.cz 2.6.24-2.fc9 #1 SMP Fri
                              Jan 25 12:52:32 EST 2008 x86_64 x86_64
Alert Count                   1
First Seen                    St 30. leden 2008, 11:45:08 CET
Last Seen                     St 30. leden 2008, 11:45:08 CET
Local ID                      a45f5428-6908-4536-8c49-d89d1eba0bf3
Line Numbers                  

Raw Audit Messages            

host=hubmaier.ceplovi.cz type=AVC msg=audit(1201689908.625:37): avc:  denied  {
node_bind } for  pid=3956 comm="rndc"
scontext=unconfined_u:unconfined_r:ndc_t:s0-s0:c0.c1023
tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=tcp_socket

host=hubmaier.ceplovi.cz type=SYSCALL msg=audit(1201689908.625:37):
arch=c000003e syscall=49 success=yes exit=0 a0=14 a1=2aaaaacb2a00 a2=10 a3=0
items=0 ppid=3732 pid=3956 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts0 comm="rndc" exe="/usr/sbin/rndc"
subj=unconfined_u:unconfined_r:ndc_t:s0-s0:c0.c1023 key=(null)


Version-Release number of selected component (if applicable):
bind-9.5.0-24.b1.fc9.x86_64
selinux-policy-targeted-3.2.5-19.fc9.noarch

How reproducible:
happened once just after relabelling whole drive
Comment 1 Matěj Cepl 2008-01-30 05:49:30 EST 
(In reply to comment #0)
> [SELinux in permissive mode, the operation would have been denied but was
> permitted due to enforcing mode.]

BTW, Dan, I am not a native English speaker, but this sentence seems weird to
me. It was really permitted due to enforcing mode?
Comment 2 Daniel Walsh 2008-01-31 10:31:51 EST 
Fixed in selinux-policy-3.2.5-23.fc9
Comment 3 Adam Tkac 2008-02-12 09:22:54 EST 
yes, problem is fixed now. (tested with selinux-policy-targeted-3.2.7-1.fc9)
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.