This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 492484 - bind selinux issues (bind-9.5.1-2.P2.fc10.x86_64)
bind selinux issues (bind-9.5.1-2.P2.fc10.x86_64)
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: bind (Show other bugs)
10
All Linux
low Severity medium
: ---
: ---
Assigned To: Adam Tkac
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-26 18:21 EDT by Mark Watts
Modified: 2013-04-30 19:42 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-04-29 10:55:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Mark Watts 2009-03-26 18:21:02 EDT
Todays update of bind has caused the following selinux context issues:

When logrotate runs, this happens:

Mar 26 21:36:00 cyan setroubleshoot: SELinux is preventing logrotate (logrotate_t) "getattr" to /var/named/data/named.run (named_cache_t). For complete SELinux messages. run sealert -l 7fd5bfb8-7a81-45ca-8ab
1-87b7fa54956b


When you start named, this happens:

Mar 26 22:14:24 cyan setroubleshoot: SELinux is preventing rndc (ndc_t) "read write" unconfined_t. For complete SELinux messages. run sealert -l f46dc906-6b41-433b-8376-ad6ab29826ba
Mar 26 22:14:25 cyan setroubleshoot: SELinux is preventing named-checkconf (named_t) "read write" unconfined_t. For complete SELinux messages. run sealert -l 780dd9ff-a4d6-4cb1-987e-11c194bf9e09
Mar 26 22:14:25 cyan setroubleshoot: SELinux is preventing named (named_t) "read write" unconfined_t. For complete SELinux messages. run sealert -l 780dd9ff-a4d6-4cb1-987e-11c194bf9e09
Comment 1 Adam Tkac 2009-03-30 05:09:59 EDT
(In reply to comment #0)
> Todays update of bind has caused the following selinux context issues:
> 
> When logrotate runs, this happens:
> 
> Mar 26 21:36:00 cyan setroubleshoot: SELinux is preventing logrotate
> (logrotate_t) "getattr" to /var/named/data/named.run (named_cache_t). For
> complete SELinux messages. run sealert -l 7fd5bfb8-7a81-45ca-8ab
> 1-87b7fa54956b

Would it be possible to attach complete SELinux messages, please? This will be fixed in selinux-policy*.

> When you start named, this happens:
> 
> Mar 26 22:14:24 cyan setroubleshoot: SELinux is preventing rndc (ndc_t) "read
> write" unconfined_t. For complete SELinux messages. run sealert -l
> f46dc906-6b41-433b-8376-ad6ab29826ba
> Mar 26 22:14:25 cyan setroubleshoot: SELinux is preventing named-checkconf
> (named_t) "read write" unconfined_t. For complete SELinux messages. run sealert
> -l 780dd9ff-a4d6-4cb1-987e-11c194bf9e09
> Mar 26 22:14:25 cyan setroubleshoot: SELinux is preventing named (named_t)
> "read write" unconfined_t. For complete SELinux messages. run sealert -l
> 780dd9ff-a4d6-4cb1-987e-11c194bf9e09  

This looks like wrongly labelled files on your machine. Could you attach complete SELinux messages as well, please?
Comment 2 Mark Watts 2009-04-29 10:55:29 EDT
Well, bind-9.5.1-2.P2.fc10.i386 and selinux-policy-targeted-3.5.13-57.fc10.noarch do not give these errors so I can only assume the issue is now fixed.

I've installed and started bind, and run /etc/cron.daily/logrotate and I get no errors.

Note You need to log in before you can comment on or make changes to this bug.