Summary: SELinux is preventing /usr/sbin/named "write" access on named. Detailed Description: SELinux denied access requested by named. It is not expected that this access is required by named and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:named_t:s0 Target Context unconfined_u:object_r:default_t:s0 Target Objects named [ dir ] Source named Source Path /usr/sbin/named Port <Unknown> Host (removed) Source RPM Packages bind-9.6.2-4.P2.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-116.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux Hossein.Laptop.F 2.6.32.12-115.fc12.i686.PAE #1 SMP Fri Apr 30 20:14:08 UTC 2010 i686 athlon Alert Count 2 First Seen Fri 11 Jun 2010 12:18:05 AM IRDT Last Seen Fri 11 Jun 2010 12:18:05 AM IRDT Local ID 4ae38806-76a0-4715-8e5d-e519280b5bf4 Line Numbers Raw Audit Messages node=Hossein.Laptop.F type=AVC msg=audit(1276199285.452:10): avc: denied { write } for pid=1740 comm="named" name="named" dev=sda5 ino=1572874 scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=dir node=Hossein.Laptop.F type=SYSCALL msg=audit(1276199285.452:10): arch=40000003 syscall=5 success=no exit=-13 a0=c9e105 a1=c1 a2=1a4 a3=c9e105 items=0 ppid=1737 pid=1740 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null) Hash String generated from catchall,named,named_t,default_t,dir,write audit2allow suggests: #============= named_t ============== #!!!! The source type 'named_t' can write to a 'dir' of the following types: # named_var_run_t, tmp_t, named_cache_t, var_run_t, named_tmp_t, var_log_t, named_log_t, root_t allow named_t default_t:dir write;
*** Bug 602994 has been marked as a duplicate of this bug. ***
*** Bug 602996 has been marked as a duplicate of this bug. ***
*** Bug 602999 has been marked as a duplicate of this bug. ***
Try to execute # restorecon -R -v /var/named
After executing, is shown new alert, see: https://bugzilla.redhat.com/show_bug.cgi?id=603109
Did you move named directory to a different location?
*** Bug 603109 has been marked as a duplicate of this bug. ***
No, I did not move any thing but i instead of executing: # restorecon -R -v /var/named executed: # restorecon -R -v /chroot/named/var/named/ Because i run BIND DNS in chroot jail and there is not /var/named directroy.
Yes that means you changed the default. You need to do the following commands # semanage fcontext -a -t var_t '/chroot(/.*)?' # semanage fcontext -a -e /var/named /chroot/named/var/named # restorecon -R -v /choot This will tell SELinux to label everything under /chroot as var_t and everything under /chroot/named/var/named as if it was under /var/named.
I executed them but alert 2 new alarms: SELinux is preventing /usr/sbin/named "read" access on /chroot/named/etc/rndc.key. & SELinux is preventing /usr/sbin/named "write" access on /chroot/named/var/run/named. If need, I send Detailed Description and other informations that alerts show.
Actually I think you need # semanage fcontext -d -e /var/named /chroot/named/var/named # semanage fcontext -a -e /var/named/chroot /chroot/named # restorecon -R -v /chroot
OK. After executing your commands, Miroslav Grepl, named service ran successfully but after rebooting shown a SELinux alert. For repairing it, i run: setsebool -P named_write_master_zones=1 And Now all thing is OK. Thanks all.
*** Bug 609470 has been marked as a duplicate of this bug. ***