Bug 896599 - SELinux is preventing /usr/sbin/unbound-anchor from 'remove_name' accesses on the directory root.anchor.9143-0.
SELinux is preventing /usr/sbin/unbound-anchor from 'remove_name' accesses on...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: unbound (Show other bugs)
19
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Paul Wouters
Fedora Extras Quality Assurance
abrt_hash:2eb2163127bfdd45f2d83b7ca20...
:
: 896601 905147 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-01-17 10:28 EST by Martin
Modified: 2014-09-14 20:04 EDT (History)
9 users (show)

See Also:
Fixed In Version: unbound-1.4.21-1.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-04-11 11:55:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Martin 2013-01-17 10:28:53 EST
Description of problem:
Upgrade from F18 to F19 (Rawhide).
SELinux is preventing /usr/sbin/unbound-anchor from 'remove_name' accesses on the directory root.anchor.9143-0.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that unbound-anchor should be allowed remove_name access on the root.anchor.9143-0 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep unbound-anchor /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:named_t:s0
Target Context                system_u:object_r:named_conf_t:s0
Target Objects                root.anchor.9143-0 [ dir ]
Source                        unbound-anchor
Source Path                   /usr/sbin/unbound-anchor
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           unbound-libs-1.4.19-1.fc18.x86_64 unbound-
                              libs-1.4.19-3.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-67.fc18.noarch selinux-
                              policy-3.12.1-4.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.6.11-3.fc18.x86_64 #1 SMP Mon
                              Dec 17 21:35:39 UTC 2012 x86_64 x86_64
Alert Count                   1
First Seen                    2013-01-17 16:18:33 CET
Last Seen                     2013-01-17 16:18:33 CET
Local ID                      9fa04071-fde5-42cb-ba81-ac3757a36fef

Raw Audit Messages
type=AVC msg=audit(1358435913.592:440): avc:  denied  { remove_name } for  pid=9143 comm="unbound-anchor" name="root.anchor.9143-0" dev="dm-3" ino=522349 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_conf_t:s0 tclass=dir


type=AVC msg=audit(1358435913.592:440): avc:  denied  { rename } for  pid=9143 comm="unbound-anchor" name="root.anchor.9143-0" dev="dm-3" ino=522349 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_conf_t:s0 tclass=file


type=AVC msg=audit(1358435913.592:440): avc:  denied  { unlink } for  pid=9143 comm="unbound-anchor" name="root.anchor" dev="dm-3" ino=541679 scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:named_conf_t:s0 tclass=file


type=SYSCALL msg=audit(1358435913.592:440): arch=x86_64 syscall=rename success=yes exit=0 a0=7fff679f6d10 a1=e10ea0 a2=e10ea0 a3=7fff679f6a70 items=0 ppid=1 pid=9143 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=unbound-anchor exe=/usr/sbin/unbound-anchor subj=system_u:system_r:named_t:s0 key=(null)

Hash: unbound-anchor,named_t,named_conf_t,dir,remove_name

audit2allow

#============= named_t ==============
allow named_t named_conf_t:dir remove_name;
allow named_t named_conf_t:file { rename unlink };

audit2allow -R

#============= named_t ==============
allow named_t named_conf_t:dir remove_name;
allow named_t named_conf_t:file { rename unlink };


Additional info:
hashmarkername: setroubleshoot
kernel:         3.6.11-3.fc18.x86_64
type:           libreport
Comment 1 Martin 2013-01-17 10:30:12 EST
Upgrade from F18 to F19 (Rawhide).

Package: (null)
OS Release: Fedora release 19 (Rawhide)
Comment 2 Miroslav Grepl 2013-01-17 17:13:12 EST
*** Bug 896601 has been marked as a duplicate of this bug. ***
Comment 3 Miroslav Grepl 2013-01-17 17:16:28 EST
Could it be moved to /var/lib/unbound?

Basically we label /etc/unbound dir as named_conf_t which is read only type.
Comment 4 Adam Tkac 2013-01-18 06:57:04 EST
Reassigning to unbound, IIRC this was discussed two weeks ago
Comment 5 Alan Jenkins 2013-01-28 12:12:25 EST
*** Bug 905147 has been marked as a duplicate of this bug. ***
Comment 6 Alan Jenkins 2013-01-28 12:18:03 EST
This happened to me after an upgrade _to_ F18 (see duplicate above).
Comment 7 Paul Wouters 2013-01-28 14:10:59 EST
we're about to release an update for this
Comment 8 Seb L. 2013-02-01 10:03:24 EST
Stock unbound won't start with SELinux enabled

Package: (null)
OS Release: Fedora release 18 (Spherical Cow)
Comment 9 Fedora End Of Life 2013-04-03 15:41:30 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19
Comment 10 Paul Wouters 2013-04-11 11:55:19 EDT

*** This bug has been marked as a duplicate of bug 891008 ***
Comment 11 Fedora Update System 2013-04-16 12:58:37 EDT
unbound-1.4.20-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/unbound-1.4.20-1.el6
Comment 12 Fedora Update System 2013-04-16 23:04:41 EDT
unbound-1.4.20-6.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/unbound-1.4.20-6.fc19
Comment 13 Fedora Update System 2013-04-17 00:24:04 EDT
unbound-1.4.20-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/unbound-1.4.20-1.fc18
Comment 14 Fedora Update System 2013-04-19 11:01:10 EDT
unbound-1.4.20-7.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/unbound-1.4.20-7.fc19
Comment 15 Fedora Update System 2013-06-01 00:07:35 EDT
unbound-1.4.20-3.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/unbound-1.4.20-3.fc18
Comment 16 Fedora Update System 2013-06-11 05:07:00 EDT
unbound-1.4.20-3.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2013-09-19 13:17:40 EDT
unbound-1.4.21-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/unbound-1.4.21-1.el6
Comment 18 Fedora Update System 2013-10-10 14:33:13 EDT
unbound-1.4.21-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.