Hi all,
On my newly up-and-running nameserver (CentOS 5), I noticed the
following alerts in /var/log/messages after restarting BIND. (lines
inserted to aid in reading).
As I'm new to SELinux, I'm hoping for some pointers on 1) if this is an
issue which simply *must* be addressed, or if it's something I should
live with, and 2) how to eliminate the warming messages without
sacrificing SELinux protections. The system does not have X installed,
so 'setroubleshoot' isn't an option (unless there's a text
equivalent).
Thanks in advance for any opinions/suggestions/enlightenments :)
~Ray
============================================Aug 16 07:12:23 sunspot
setroubleshoot: SELinux is preventing
/usr/sbin/named (named_t) "getattr" access to /dev/random
(tmpfs_t). For complete SELinux messages. run sealert -l
1ab129b8-9f9f-48ae-a67e-d52f63a5fb5a
============================================Aug 16 07:12:23 sunspot
setroubleshoot: SELinux is preventing
/usr/sbin/named (named_t) "read" access to random (tmpfs_t). For
complete SELinux messages. run sealert -l
b7014747-0d8d-443e-8b9a-af868976452d
============================================
With apologies for the verbosity here, I'm including the output of the
sealert commands here.
============================================result of sealert -l
1ab129b8-9f9f-48ae-a67e-d52f63a5fb5a:
[root at sunspot ray]# /usr/bin/sealert -l b7014747-0d8d-443e-8b9a-af868976452d
Summary
SELinux is preventing /usr/sbin/named (named_t) "read" access to
random
(tmpfs_t).
Detailed Description
SELinux denied access requested by /usr/sbin/named. It is not
expected that
this access is required by /usr/sbin/named and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional
access.
Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this
package.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for random, restorecon -v
random.
There is currently no automatic way to allow this access. Instead,
you can
generate a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can
disable SELinux protection entirely for the application. Disabling
SELinux
protection is not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Changing the "named_disable_trans" boolean to true will disable
SELinux
protection this application: "setsebool -P named_disable_trans=1."
The following command will allow this access:
setsebool -P named_disable_trans=1
Additional Information
Source Context user_u:system_r:named_t
Target Context system_u:object_r:tmpfs_t
Target Objects random [ chr_file ]
Affected RPM Packages bind-9.3.3-7.el5 [application]
Policy RPM selinux-policy-2.4.6-30.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.disable_trans
Host Name sunspot
Platform Linux sunspot 2.6.18-8.el5 #1 SMP Thu Mar 15
19:57:35 EDT 2007 i686 athlon
Alert Count 12
Line Numbers
Raw Audit Messages
avc: denied { read } for comm="named" dev=dm-0 egid=25 euid=25
exe="/usr/sbin/named" exit=9 fsgid=25 fsuid=25 gid=25 items=0
name="random"
pid=15327 scontext=user_u:system_r:named_t:s0 sgid=25
subj=user_u:system_r:named_t:s0 suid=25 tclass=chr_file
tcontext=system_u:object_r:tmpfs_t:s0 tty=(none) uid=25
============================================
[root at sunspot ray]# sealert -l b7014747-0d8d-443e-8b9a-af868976452d
Summary
SELinux is preventing /usr/sbin/named (named_t) "read" access to
random
(tmpfs_t).
Detailed Description
SELinux denied access requested by /usr/sbin/named. It is not
expected that
this access is required by /usr/sbin/named and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional
access.
Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this
package.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for random, restorecon -v
random.
There is currently no automatic way to allow this access. Instead,
you can
generate a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can
disable SELinux protection entirely for the application. Disabling
SELinux
protection is not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Changing the "named_disable_trans" boolean to true will disable
SELinux
protection this application: "setsebool -P named_disable_trans=1."
The following command will allow this access:
setsebool -P named_disable_trans=1
Additional Information
Source Context user_u:system_r:named_t
Target Context system_u:object_r:tmpfs_t
Target Objects random [ chr_file ]
Affected RPM Packages bind-9.3.3-7.el5 [application]
Policy RPM selinux-policy-2.4.6-30.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.disable_trans
Host Name sunspot
Platform Linux sunspot 2.6.18-8.el5 #1 SMP Thu Mar 15
19:57:35 EDT 2007 i686 athlon
Alert Count 12
Line Numbers
Raw Audit Messages
avc: denied { read } for comm="named" dev=dm-0 egid=25 euid=25
exe="/usr/sbin/named" exit=9 fsgid=25 fsuid=25 gid=25 items=0
name="random"
pid=15327 scontext=user_u:system_r:named_t:s0 sgid=25
subj=user_u:system_r:named_t:s0 suid=25 tclass=chr_file
tcontext=system_u:object_r:tmpfs_t:s0 tty=(none) uid=25