Description of problem: The named init script uses rndc to stop named, if rndc is configured. However, using rndc is currently prevented by SELinux. Version-Release number of selected component (if applicable): selinux-policy-3.6.12-50.fc11.noarch How reproducible: Always Steps to Reproduce: 1. configure /etc/named.conf to use rndc 2. start and stop named 3. look in the audit.log Actual results: The named init script falls back to sending TERM when rndc fails. AVC denials are logged in the audit log. (see below) Expected results: named exits cleanly using rndc. No SELinux denials. Additional info: Configuring named.conf to enable rndc means entering something like the following (substitute 127.0.0.1 for ::1 on an IPv4 system): // configure rndc controls { inet ::1 allow { ::1; } keys { rndckey; }; }; include "/etc/rndc.key"; ===== The denials are as follows, captured over two attempts: type=AVC msg=audit(1245719095.806:54): avc: denied { read } for pid=2830 comm="rndc" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file type=AVC msg=audit(1245720280.106:69): avc: denied { open } for pid=2950 comm="rndc" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:ndc_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file ===== I'm using the following local policy to make it work as expected: module local 1.0; require { type ndc_t; type security_t; class file { read open }; } #============= ndc_t ============== allow ndc_t security_t:file { read open };
You can add these rules now using # grep avc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Fixed in selinux-policy-3.6.12-57.fc11
Hmm... My rndc failure was actually key-releated, not related to the AVC denial. But I can verify that the AVC messages are gone now, too.