Daniel B. Thurman wrote: > > I am trying to setup a 2nd private DNS server in my private > network, behind the firewall (with DNS access enabled) and > I am able to resolve all of my local systems. However, I have > some problems. One involves SELinux and the other involved > forwarding as shown below: > > 1) SELinux errors are reported only when starting/stopping/restarting > named. > ++++++++++++++++++++++++++++++++++++++++++++++ > Source Context system_u:system_r:named_t:s0 > Target Context system_u:system_r:unconfined_t:s0 > Target Objects socket [ unix_stream_socket ] > Source named-checkconf > Source Path /usr/sbin/named-checkconf > Port <Unknown> > Host gold.cdkkt.com > Source RPM Packages bind-9.5.0-26.b3.fc8 > Target RPM Packages Policy RPM > selinux-policy-3.0.8-101.fc8 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name gold.cdkkt.com > Platform Linux gold.cdkkt.com 2.6.24.7-92.fc8 #1 > SMP Wed > May 7 16:50:09 EDT 2008 i686 i686 > Alert Count 4 > First Seen Mon 02 Jun 2008 10:00:25 AM PDT > Last Seen Mon 02 Jun 2008 10:01:43 AM PDT > Local ID 7faef252-f1ea-4e36-8f51-167799fcb429 > Line Numbers > Raw Audit Messages > host=gold.cdkkt.com type=AVC msg=audit(1212426103.808:4122): avc: > denied { read write } for pid=7037 comm="named" path="socket:[874313]" > dev=sockfs ino=874313 scontext=system_u:system_r:named_t:s0 > tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socket > > host=gold.cdkkt.com type=SYSCALL msg=audit(1212426103.808:4122): > arch=40000003 syscall=11 success=yes exit=0 a0=9b05a68 a1=9b05e38 > a2=9b04fe0 a3=0 items=0 ppid=7036 pid=7037 auid=500 uid=0 gid=0 euid=0 > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="named" > exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null) > ++++++++++++++++++++++++++++++++++++++++++++++ > Source Context system_u:system_r:ndc_t:s0 > Target Context system_u:system_r:unconfined_t:s0 > Target Objects socket [ unix_stream_socket ] > Source rndc > Source Path /usr/sbin/rndc > Port <Unknown> > Host gold.cdkkt.com > Source RPM Packages bind-9.5.0-26.b3.fc8 > Target RPM Packages Policy RPM > selinux-policy-3.0.8-101.fc8 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name gold.cdkkt.com > Platform Linux gold.cdkkt.com 2.6.24.7-92.fc8 #1 > SMP Wed > May 7 16:50:09 EDT 2008 i686 i686 > Alert Count 4 > First Seen Mon 02 Jun 2008 10:00:23 AM PDT > Last Seen Mon 02 Jun 2008 10:01:43 AM PDT > Local ID cc0e5f4b-aa41-4543-9569-df7d65f83f1c > Line Numbers > Raw Audit Messages > host=gold.cdkkt.com type=AVC msg=audit(1212426103.905:4123): avc: > denied { read write } for pid=7064 comm="rndc" path="socket:[874313]" > dev=sockfs ino=874313 scontext=system_u:system_r:ndc_t:s0 > tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socket > > host=gold.cdkkt.com type=SYSCALL msg=audit(1212426103.905:4123): > arch=40000003 syscall=11 success=yes exit=0 a0=90000d0 a1=9000078 > a2=8fe12e0 a3=0 items=0 ppid=7055 pid=7064 auid=500 uid=0 gid=0 euid=0 > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="rndc" > exe="/usr/sbin/rndc" subj=system_u:system_r:ndc_t:s0 key=(null) > ++++++++++++++++++++++++++++++++++++++++++++++ > Source Context system_u:system_r:mount_t:s0 > Target Context system_u:system_r:unconfined_t:s0 > Target Objects socket [ unix_stream_socket ] > Source umount > Source Path /bin/umount > Port <Unknown> > Host gold.cdkkt.com > Source RPM Packages util-linux-ng-2.13.1-2.fc8 > Target RPM Packages Policy RPM > selinux-policy-3.0.8-101.fc8 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name gold.cdkkt.com > Platform Linux gold.cdkkt.com 2.6.24.7-92.fc8 #1 > SMP Wed > May 7 16:50:09 EDT 2008 i686 i686 > Alert Count 4 > First Seen Mon 02 Jun 2008 10:00:25 AM PDT > Last Seen Mon 02 Jun 2008 10:01:43 AM PDT > Local ID 439fbb1b-17d2-40b4-9242-744d5d69e303 > Line Numbers > Raw Audit Messages > host=gold.cdkkt.com type=AVC msg=audit(1212426103.790:4120): avc: > denied { read write } for pid=7034 comm="mount" path="socket:[874313]" > dev=sockfs ino=874313 scontext=system_u:system_r:mount_t:s0 > tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socket > > host=gold.cdkkt.com type=SYSCALL msg=audit(1212426103.790:4120): > arch=40000003 syscall=11 success=yes exit=0 a0=870e610 a1=86e8fa8 > a2=86eb2e0 a3=0 items=0 ppid=7014 pid=7034 auid=500 uid=0 gid=0 euid=0 > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="mount" > exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null) > ++++++++++++++++++++++++++++++++++++++++++++++ > > 2) Forwarders do not work: > ++++++++++++++++++++++++++++++++++++++++++++++ > ** server can't find msn.com: NXDOMAIN > ++++++++++++++++++++++++++++++++++++++++++++++ > > > Please advise, > Dan > This looks like either a leaked file descriptor, which can be ingored/dontaudited Or it could be a redirection of the terminal to a unix_stream_socket. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list