Summary: | sec-policy/selinux-bind-2.20120725-r6: broken admin interface, no right to execute named init script | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Vincent Brillault <gentoo> |
Component: | SELinux | Assignee: | Matthew Thode ( prometheanfire ) <prometheanfire> |
Status: | VERIFIED FIXED | ||
Severity: | blocker | CC: | selinux |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | sec-policy r7 | ||
Package list: | Runtime testing required: | --- |
Description
Vincent Brillault
2012-11-03 20:45:12 UTC
well, didn't work for me, here is the full audit log without dontaudit enabled. type=AVC msg=audit(1352233096.023:693394): avc: denied { execute } for pid=22088 comm="bash" name="named" dev="vda3" ino=8691 ipaddr=10.0.3.42 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:named_initrc_exec_t tclass=file type=AVC msg=audit(1352233096.023:693394): avc: denied { execute_no_trans } for pid=22088 comm="bash" path="/etc/init.d/named" dev="vda3" ino=8691 ipaddr=10.0.3.42 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:named_initrc_exec_t tclass=file type=AVC msg=audit(1352233096.042:693395): avc: denied { getattr } for pid=22088 comm="rc" path="/etc/init.d/php-fpm" dev="vda3" ino=9069 ipaddr=10.0.3.42 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file type=AVC msg=audit(1352233096.311:693396): avc: denied { audit_control } for pid=22114 comm="rc" capability=30 ipaddr=10.0.3.42 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=capability type=AVC msg=audit(1352233096.321:693398): avc: denied { execute } for pid=22114 comm="rc" name="named" dev="dm-0" ino=19623 ipaddr=10.0.3.42 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:named_exec_t tclass=file type=AVC msg=audit(1352233096.321:693398): avc: denied { execute_no_trans } for pid=22114 comm="rc" path="/usr/sbin/named" dev="dm-0" ino=19623 ipaddr=10.0.3.42 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:named_exec_t tclass=file type=AVC msg=audit(1352233096.347:693399): avc: denied { setrlimit } for pid=22115 comm="named" ipaddr=10.0.3.42 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process type=AVC msg=audit(1352233096.362:693400): avc: denied { name_bind } for pid=22116 comm="named" src=53 ipaddr=10.0.3.42 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:dns_port_t tclass=udp_socket type=AVC msg=audit(1352233096.366:693401): avc: denied { name_bind } for pid=22116 comm="named" src=53 ipaddr=10.0.3.42 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:dns_port_t tclass=tcp_socket type=AVC msg=audit(1352233096.366:693401): avc: denied { node_bind } for pid=22116 comm="named" saddr=127.0.0.1 src=53 ipaddr=10.0.3.42 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket type=AVC msg=audit(1352233096.403:693402): avc: denied { name_bind } for pid=22116 comm="named" src=953 ipaddr=10.0.3.42 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:rndc_port_t tclass=tcp_socket type=AVC msg=audit(1352233096.442:693403): avc: denied { name_bind } for pid=22116 comm="named" src=28813 ipaddr=10.0.3.42 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unreserved_port_t tclass=udp_socket type=AVC msg=audit(1352233096.503:693404): avc: denied { name_bind } for pid=22118 comm="named" src=10200 ipaddr=10.0.3.42 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:trisoap_port_t tclass=udp_socket well, now it worked.. also, the fix is upstreamed r7 is now in hardened-dev In main tree, ~arch'ed r8 is now stable |