Bug 507502 - SELinux is preventing rndc (ndc_t) "read|open" security_t
SELinux is preventing rndc (ndc_t) "read|open" security_t
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2009-06-22 22:24 EDT by Allen Kistler
Modified: 2009-07-11 17:28 EDT (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-3.6.12-62.fc11.noarch
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-07-11 17:28:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Allen Kistler 2009-06-22 22:24:34 EDT
Description of problem:
The named init script uses rndc to stop named, if rndc is configured.  However, using rndc is currently prevented by SELinux.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. configure /etc/named.conf to use rndc
2. start and stop named
3. look in the audit.log

Actual results:
The named init script falls back to sending TERM when rndc fails.
AVC denials are logged in the audit log. (see below)

Expected results:
named exits cleanly using rndc.
No SELinux denials.

Additional info:

Configuring named.conf to enable rndc means entering something like the following (substitute for ::1 on an IPv4 system):

// configure rndc
controls {
        inet ::1 allow { ::1; } keys { rndckey; };
include "/etc/rndc.key";

The denials are as follows, captured over two attempts:

type=AVC msg=audit(1245719095.806:54): avc:  denied  { read } for  pid=2830 comm="rndc" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file

type=AVC msg=audit(1245720280.106:69): avc:  denied  { open } for  pid=2950 comm="rndc" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file

I'm using the following local policy to make it work as expected:

module local 1.0;

require {
        type ndc_t;
        type security_t;
        class file { read open };

#============= ndc_t ==============
allow ndc_t security_t:file { read open };
Comment 1 Daniel Walsh 2009-06-23 16:56:17 EDT
You can add these rules now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.6.12-57.fc11
Comment 2 Allen Kistler 2009-06-23 20:35:02 EDT
My rndc failure was actually key-releated, not related to the AVC denial.

But I can verify that the AVC messages are gone now, too.

Note You need to log in before you can comment on or make changes to this bug.