SELinux questions, upon restarting BIND

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Hi all,

On my newly up-and-running nameserver (CentOS 5), I noticed the
following alerts in /var/log/messages after restarting BIND.  (lines
inserted to aid in reading).
As I'm new to SELinux, I'm hoping for some pointers on 1) if this is an
issue which simply *must* be addressed, or if it's something I should
live with, and 2) how to eliminate the warming messages without
sacrificing SELinux protections.  The system does not have X installed,
so 'setroubleshoot' isn't an option (unless there's a text equivalent).

Thanks in advance for any opinions/suggestions/enlightenments :)

~Ray

=============================================
Aug 16 07:12:23 sunspot setroubleshoot:      SELinux is preventing
/usr/sbin/named (named_t) "getattr" access to /dev/random
(tmpfs_t).      For complete SELinux messages. run sealert -l
1ab129b8-9f9f-48ae-a67e-d52f63a5fb5a
=============================================
Aug 16 07:12:23 sunspot setroubleshoot:      SELinux is preventing
/usr/sbin/named (named_t) "read" access to random (tmpfs_t).      For
complete SELinux messages. run sealert -l
b7014747-0d8d-443e-8b9a-af868976452d
=============================================

With apologies for the verbosity here, I'm including the output of the
sealert commands here.

=============================================
result of sealert -l 1ab129b8-9f9f-48ae-a67e-d52f63a5fb5a:

[root@sunspot ray]# /usr/bin/sealert -l b7014747-0d8d-443e-8b9a-af868976452d
Summary
    SELinux is preventing /usr/sbin/named (named_t) "read" access to random
    (tmpfs_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/named. It is not
expected that
    this access is required by /usr/sbin/named and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional
access.
    Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this
    package.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for random, restorecon -v
random.
    There is currently no automatic way to allow this access. Instead,
you can
    generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can
    disable SELinux protection entirely for the application. Disabling
SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
    Changing the "named_disable_trans" boolean to true will disable SELinux
    protection this application: "setsebool -P named_disable_trans=1."

    The following command will allow this access:
    setsebool -P named_disable_trans=1

Additional Information

Source Context                user_u:system_r:named_t
Target Context                system_u:object_r:tmpfs_t
Target Objects                random [ chr_file ]
Affected RPM Packages         bind-9.3.3-7.el5 [application]
Policy RPM                    selinux-policy-2.4.6-30.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.disable_trans
Host Name                     sunspot
Platform                      Linux sunspot 2.6.18-8.el5 #1 SMP Thu Mar 15
                              19:57:35 EDT 2007 i686 athlon
Alert Count                   12
Line Numbers

Raw Audit Messages

avc: denied { read } for comm="named" dev=dm-0 egid=25 euid=25
exe="/usr/sbin/named" exit=9 fsgid=25 fsuid=25 gid=25 items=0 name="random"
pid=15327 scontext=user_u:system_r:named_t:s0 sgid=25
subj=user_u:system_r:named_t:s0 suid=25 tclass=chr_file
tcontext=system_u:object_r:tmpfs_t:s0 tty=(none) uid=25

=============================================

[root@sunspot ray]# sealert -l b7014747-0d8d-443e-8b9a-af868976452d
Summary
    SELinux is preventing /usr/sbin/named (named_t) "read" access to random
    (tmpfs_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/named. It is not
expected that
    this access is required by /usr/sbin/named and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional
access.
    Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this
    package.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for random, restorecon -v
random.
    There is currently no automatic way to allow this access. Instead,
you can
    generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can
    disable SELinux protection entirely for the application. Disabling
SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
    Changing the "named_disable_trans" boolean to true will disable SELinux
    protection this application: "setsebool -P named_disable_trans=1."

    The following command will allow this access:
    setsebool -P named_disable_trans=1

Additional Information

Source Context                user_u:system_r:named_t
Target Context                system_u:object_r:tmpfs_t
Target Objects                random [ chr_file ]
Affected RPM Packages         bind-9.3.3-7.el5 [application]
Policy RPM                    selinux-policy-2.4.6-30.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.disable_trans
Host Name                     sunspot
Platform                      Linux sunspot 2.6.18-8.el5 #1 SMP Thu Mar 15
                              19:57:35 EDT 2007 i686 athlon
Alert Count                   12
Line Numbers

Raw Audit Messages

avc: denied { read } for comm="named" dev=dm-0 egid=25 euid=25
exe="/usr/sbin/named" exit=9 fsgid=25 fsuid=25 gid=25 items=0 name="random"
pid=15327 scontext=user_u:system_r:named_t:s0 sgid=25
subj=user_u:system_r:named_t:s0 suid=25 tclass=chr_file
tcontext=system_u:object_r:tmpfs_t:s0 tty=(none) uid=25

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux