Description of problem: Summary: SELinux is preventing rndc (ndc_t) "read" to inotify (inotifyfs_t). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by rndc. It is not expected that this access is required by rndc and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for inotify, restorecon -v 'inotify' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:ndc_t:s0 Target Context system_u:object_r:inotifyfs_t:s0 Target Objects inotify [ dir ] Source rndc Source Path /usr/sbin/rndc Port <Unknown> Host ls2ka.elton-intra.net Source RPM Packages bind-9.5.1-2.P2.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-53.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall_file Host Name ls2ka.elton-intra.net Platform Linux ls2ka.elton-intra.net 2.6.27.19-170.2.35.fc10.i686 #1 SMP Mon Feb 23 13:21:22 EST 2009 i686 i686 Alert Count 1 First Seen Sun Mar 29 04:49:51 2009 Last Seen Sun Mar 29 04:49:51 2009 Local ID 33c8b6ce-9ae0-4359-a360-de33274a5748 Line Numbers Raw Audit Messages node=ls2ka.elton-intra.net type=AVC msg=audit(1238294991.417:3231): avc: denied { read } for pid=27847 comm="rndc" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:ndc_t:s0 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir node=ls2ka.elton-intra.net type=SYSCALL msg=audit(1238294991.417:3231): arch=40000003 syscall=11 success=yes exit=0 a0=83117b8 a1=8311720 a2=82f27a8 a3=0 items=0 ppid=27839 pid=27847 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=69 comm="rndc" exe="/usr/sbin/rndc" subj=system_u:system_r:ndc_t:s0 key=(null)
Fixed in selinux-policy-3.5.13-54.fc10
I looks like this is being solved now. Close bug? I have not seen the SELinux message in the syslog for a while now.
If you verify the bug is fixed, you can close it. Thanks for confirming.