Description of problem: Upgrade from F18 to F19 (Rawhide). SELinux is preventing /usr/sbin/unbound-anchor from 'remove_name' accesses on the directory root.anchor.9143-0. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that unbound-anchor should be allowed remove_name access on the root.anchor.9143-0 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep unbound-anchor /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:named_t:s0 Target Context system_u:object_r:named_conf_t:s0 Target Objects root.anchor.9143-0 [ dir ] Source unbound-anchor Source Path /usr/sbin/unbound-anchor Port <Unknown> Host (removed) Source RPM Packages unbound-libs-1.4.19-1.fc18.x86_64 unbound- libs-1.4.19-3.fc19.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-67.fc18.noarch selinux- policy-3.12.1-4.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.6.11-3.fc18.x86_64 #1 SMP Mon Dec 17 21:35:39 UTC 2012 x86_64 x86_64 Alert Count 1 First Seen 2013-01-17 16:18:33 CET Last Seen 2013-01-17 16:18:33 CET Local ID 9fa04071-fde5-42cb-ba81-ac3757a36fef Raw Audit Messages type=AVC msg=audit(1358435913.592:440): avc: denied { remove_name } for pid=9143 comm="unbound-anchor" name="root.anchor.9143-0" dev="dm-3" ino=522349 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_conf_t:s0 tclass=dir type=AVC msg=audit(1358435913.592:440): avc: denied { rename } for pid=9143 comm="unbound-anchor" name="root.anchor.9143-0" dev="dm-3" ino=522349 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_conf_t:s0 tclass=file type=AVC msg=audit(1358435913.592:440): avc: denied { unlink } for pid=9143 comm="unbound-anchor" name="root.anchor" dev="dm-3" ino=541679 scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:named_conf_t:s0 tclass=file type=SYSCALL msg=audit(1358435913.592:440): arch=x86_64 syscall=rename success=yes exit=0 a0=7fff679f6d10 a1=e10ea0 a2=e10ea0 a3=7fff679f6a70 items=0 ppid=1 pid=9143 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=unbound-anchor exe=/usr/sbin/unbound-anchor subj=system_u:system_r:named_t:s0 key=(null) Hash: unbound-anchor,named_t,named_conf_t,dir,remove_name audit2allow #============= named_t ============== allow named_t named_conf_t:dir remove_name; allow named_t named_conf_t:file { rename unlink }; audit2allow -R #============= named_t ============== allow named_t named_conf_t:dir remove_name; allow named_t named_conf_t:file { rename unlink }; Additional info: hashmarkername: setroubleshoot kernel: 3.6.11-3.fc18.x86_64 type: libreport
Upgrade from F18 to F19 (Rawhide). Package: (null) OS Release: Fedora release 19 (Rawhide)
*** Bug 896601 has been marked as a duplicate of this bug. ***
Could it be moved to /var/lib/unbound? Basically we label /etc/unbound dir as named_conf_t which is read only type.
Reassigning to unbound, IIRC this was discussed two weeks ago
*** Bug 905147 has been marked as a duplicate of this bug. ***
This happened to me after an upgrade _to_ F18 (see duplicate above).
we're about to release an update for this
Stock unbound won't start with SELinux enabled Package: (null) OS Release: Fedora release 18 (Spherical Cow)
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle. Changing version to '19'. (As we did not run this process for some time, it could affect also pre-Fedora 19 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19
*** This bug has been marked as a duplicate of bug 891008 ***
unbound-1.4.20-1.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/unbound-1.4.20-1.el6
unbound-1.4.20-6.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/unbound-1.4.20-6.fc19
unbound-1.4.20-1.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/unbound-1.4.20-1.fc18
unbound-1.4.20-7.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/unbound-1.4.20-7.fc19
unbound-1.4.20-3.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/unbound-1.4.20-3.fc18
unbound-1.4.20-3.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
unbound-1.4.21-1.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/unbound-1.4.21-1.el6
unbound-1.4.21-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.