Description of problem: This is a follow-up ticket for Bug 748366. named is still not allowed to talk to dirsrv via socket. AVCs in /var/log/audit.log: type=AVC msg=audit(1321976214.638:16866): avc: denied { write } for pid=20363 comm="named" name="slapd-IDM-LAB-BOS-REDHAT-COM.socket" dev=tmpfs ino=392003 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:slapd_var_run_t:s0 tclass=sock_file type=SYSCALL msg=audit(1321976214.638:16866): arch=c000003e syscall=42 success=no exit=-13 a0=9 a1=7f157350ec70 a2=6e a3=7f157350e9d0 items=0 ppid=20361 pid=20363 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null) type=AVC msg=audit(1321976214.640:16867): avc: denied { write } for pid=20363 comm="named" name="slapd-IDM-LAB-BOS-REDHAT-COM.socket" dev=tmpfs ino=392003 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:slapd_var_run_t:s0 tclass=sock_file audit2allow says: #============= named_t ============== #!!!! This avc is allowed in the current policy allow named_t dirsrv_var_run_t:sock_file write; #!!!! This avc can be allowed using the boolean 'authlogin_nsswitch_use_ldap' allow named_t slapd_var_run_t:sock_file write; I think the policy should allow named_t to access both dirsrv_var_run_t:sock_file and slapd_var_run_t:sock_file as they are both owned by dirsrv. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.10.0-56.fc16.noarch How reproducible: Install FreeIPA server in F-16 with named support and check DNS functionality or look for AVCs in audit.log Steps to Reproduce: 1. Install freeipa-server package from updates-testing 2. Install FreeIPA with DNS support: ipa-server-install --setup-dns 3. Check that FreeIPA with DNS is working: dig `hostname` Actual results: named cannot contact dirsrv. /var/log/messages says: Oct 24 04:44:51 vm-093 named[17903]: bind to LDAP server failed: Can't contact LDAP server Expected results: named is allowed to contact dirsrv and DNS functionality in FreeIPA server works.
Ok, the problem is I added rules only for dirsrv_var_run_t:sock_file
Fixed in selinux-policy-3.10.0-59.fc16.
selinux-policy-3.10.0-59.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-59.fc16
Package selinux-policy-3.10.0-60.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-60.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-16371/selinux-policy-3.10.0-60.fc16 then log in and leave karma (feedback).
Package selinux-policy-3.10.0-61.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-61.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-16371/selinux-policy-3.10.0-61.fc16 then log in and leave karma (feedback).
selinux-policy-3.10.0-61.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.