First Last Prev Next    This bug is not in your last search results.
Bug 964230 - SELinux is preventing /usr/sbin/unbound-anchor from 'remove_name' accesses on the directory root.anchor.1109-0.
SELinux is preventing /usr/sbin/unbound-anchor from 'remove_name' accesses on...
Status: CLOSED WORKSFORME
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
18
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:2eb2163127bfdd45f2d83b7ca20...
:
: 964238 964242 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-17 11:20 EDT by Moez Roy
Modified: 2013-06-14 07:40 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-06-14 07:40:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Moez Roy 2013-05-17 11:20:00 EDT 
Description of problem:
SELinux is preventing /usr/sbin/unbound-anchor from 'remove_name' accesses on the directory root.anchor.1109-0.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that unbound-anchor should be allowed remove_name access on the root.anchor.1109-0 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep unbound-anchor /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:named_t:s0
Target Context                system_u:object_r:named_conf_t:s0
Target Objects                root.anchor.1109-0 [ dir ]
Source                        unbound-anchor
Source Path                   /usr/sbin/unbound-anchor
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           unbound-libs-1.4.19-1.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-94.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.9.2-200.fc18.x86_64 #1 SMP Mon
                              May 13 13:59:47 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-05-17 08:17:28 PDT
Last Seen                     2013-05-17 08:17:28 PDT
Local ID                      6e61a959-8bdb-45d9-9eda-3c24ba467e36

Raw Audit Messages
type=AVC msg=audit(1368803848.699:243): avc:  denied  { remove_name } for  pid=1109 comm="unbound-anchor" name="root.anchor.1109-0" dev="dm-0" ino=3016205 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_conf_t:s0 tclass=dir


type=SYSCALL msg=audit(1368803848.699:243): arch=x86_64 syscall=rename success=no exit=EACCES a0=7fff89277fd0 a1=2365c60 a2=2365c60 a3=396c3b1798 items=0 ppid=1 pid=1109 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=unbound-anchor exe=/usr/sbin/unbound-anchor subj=system_u:system_r:named_t:s0 key=(null)

Hash: unbound-anchor,named_t,named_conf_t,dir,remove_name

audit2allow

#============= named_t ==============
allow named_t named_conf_t:dir remove_name;

audit2allow -R
require {
	type named_t;
}

#============= named_t ==============
bind_manage_config_dirs(named_t)


Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.2-200.fc18.x86_64
type:           libreport

Potential duplicate: bug 896599
Comment 1 Daniel Walsh 2013-05-17 17:12:35 EDT 
*** Bug 964238 has been marked as a duplicate of this bug. ***
Comment 2 Daniel Walsh 2013-05-17 17:13:35 EDT 
*** Bug 964242 has been marked as a duplicate of this bug. ***
Comment 3 Moez Roy 2013-06-14 07:40:02 EDT 
I am closing this right now, as unbound was updated and I think that update fixed many AVCs. I will re-open if it is not fixed. thanks all.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.