As this remains an issue for me, I'm reposting. Please forgive the redundancy, but I've been unable to find the answer and am hoping for some guidance.
Thanks in advance, ~Ray
==========Original Posts follow========== (full output is in the original thread)
Ray Leventhal wrote:
Hi all,
On my newly up-and-running nameserver (CentOS 5), I noticed the following alerts in /var/log/messages after restarting BIND. (lines inserted to aid in reading). As I'm new to SELinux, I'm hoping for some pointers on 1) if this is an issue which simply *must* be addressed, or if it's something I should live with, and 2) how to eliminate the warming messages without sacrificing SELinux protections. The system does not have X installed, so 'setroubleshoot' isn't an option (unless there's a text equivalent).
Thanks in advance for any opinions/suggestions/enlightenments :)
~Ray
============================================= Aug 16 07:12:23 sunspot setroubleshoot: SELinux is preventing /usr/sbin/named (named_t) "getattr" access to /dev/random (tmpfs_t). For complete SELinux messages. run sealert -l 1ab129b8-9f9f-48ae-a67e-d52f63a5fb5a ============================================= Aug 16 07:12:23 sunspot setroubleshoot: SELinux is preventing /usr/sbin/named (named_t) "read" access to random (tmpfs_t). For complete SELinux messages. run sealert -l b7014747-0d8d-443e-8b9a-af868976452d =============================================
<big output snip> Update:
A bit of searching found a thread which pointed here: http://www.webservertalk.com/message1323968.html
This is a talk about Bind 9.x on RHEL4, but I think it applies to C5 as well as the issue is SELinux and chrooted BIND implementations.
Problem is, I'm still not sure what should be done. I'd rather not disable SELinux protection by doing this:
setsebool -P named_disable_trans=1
...but the instructions for alerting SELinux to the chrooted file locations are a bit short of my (inexperienced) needs.
Any help would be greatly appreciated.
@Moderator: if this is truly off-topic, my apologies. Please let me know and I will post to an SELinux list.
TIA, ~Ray
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I am hesitant to offer suggestions for RHELv5 selinux since I haven't spent any time playing with it but would definitely recommend that you join the selinux list...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
where you will get definitive and correct answers to selinux issues
Craig
On Fri, 2007-08-17 at 09:16 -0400, Ray Leventhal wrote:
As this remains an issue for me, I'm reposting. Please forgive the redundancy, but I've been unable to find the answer and am hoping for some guidance.
Thanks in advance, ~Ray
==========Original Posts follow========== (full output is in the original thread)
Ray Leventhal wrote:
Hi all,
On my newly up-and-running nameserver (CentOS 5), I noticed the following alerts in /var/log/messages after restarting BIND. (lines inserted to aid in reading). As I'm new to SELinux, I'm hoping for some pointers on 1) if this is an issue which simply *must* be addressed, or if it's something I should live with, and 2) how to eliminate the warming messages without sacrificing SELinux protections. The system does not have X installed, so 'setroubleshoot' isn't an option (unless there's a text equivalent).
Thanks in advance for any opinions/suggestions/enlightenments :)
~Ray
============================================= Aug 16 07:12:23 sunspot setroubleshoot: SELinux is preventing /usr/sbin/named (named_t) "getattr" access to /dev/random (tmpfs_t). For complete SELinux messages. run sealert -l 1ab129b8-9f9f-48ae-a67e-d52f63a5fb5a ============================================= Aug 16 07:12:23 sunspot setroubleshoot: SELinux is preventing /usr/sbin/named (named_t) "read" access to random (tmpfs_t). For complete SELinux messages. run sealert -l b7014747-0d8d-443e-8b9a-af868976452d =============================================
<big output snip> Update:
A bit of searching found a thread which pointed here: http://www.webservertalk.com/message1323968.html
This is a talk about Bind 9.x on RHEL4, but I think it applies to C5 as well as the issue is SELinux and chrooted BIND implementations.
Problem is, I'm still not sure what should be done. I'd rather not disable SELinux protection by doing this:
setsebool -P named_disable_trans=1
...but the instructions for alerting SELinux to the chrooted file locations are a bit short of my (inexperienced) needs.
Any help would be greatly appreciated.
@Moderator: if this is truly off-topic, my apologies. Please let me know and I will post to an SELinux list.
TIA, ~Ray
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Fri, 2007-08-17 at 09:16 -0400, Ray Leventhal wrote:
As this remains an issue for me, I'm reposting. Please forgive the redundancy, but I've been unable to find the answer and am hoping for some guidance.
Thanks in advance, ~Ray
==========Original Posts follow========== (full output is in the original thread)
Ray Leventhal wrote:
<snip>
Craig White wrote:
I am hesitant to offer suggestions for RHELv5 selinux since I haven't spent any time playing with it but would definitely recommend that you join the selinux list...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
where you will get definitive and correct answers to selinux issues
Craig
Hi Craig, et al,
Thanks for the pointer. I did sign up with the SELinux list from NSA, but it's not exactly what I'd been hoping to find. I'll have at the Fedora list, as suggested.
Kind regards, ~Ray
On Fri August 17 2007 09:16, Ray Leventhal wrote:
As this remains an issue for me, I'm reposting. Please forgive the redundancy, but I've been unable to find the answer and am hoping for some guidance.
OK, are you running named in a chroot env?
============================================= Aug 16 07:12:23 sunspot setroubleshoot: SELinux is preventing /usr/sbin/named (named_t) "getattr" access to /dev/random (tmpfs_t). For complete SELinux messages. run sealert -l 1ab129b8-9f9f-48ae-a67e-d52f63a5fb5a =============================================
Have you done the above to get the complete message?
Robert Spangler wrote:
On Fri August 17 2007 09:16, Ray Leventhal wrote:
As this remains an issue for me, I'm reposting. Please forgive the redundancy, but I've been unable to find the answer and am hoping for some guidance.
OK, are you running named in a chroot env?
============================================= Aug 16 07:12:23 sunspot setroubleshoot: SELinux is preventing /usr/sbin/named (named_t) "getattr" access to /dev/random (tmpfs_t). For complete SELinux messages. run sealert -l 1ab129b8-9f9f-48ae-a67e-d52f63a5fb5a =============================================
Have you done the above to get the complete message?
Hi Robert,
Yes, to both. My original post contained the output which is also here (below) for ease of review:
Any suggestions would be greatly appreciated
Kind regards, ~Ray
============================================= result of sealert -l 1ab129b8-9f9f-48ae-a67e-d52f63a5fb5a:
[root@sunspot ray]# /usr/bin/sealert -l b7014747-0d8d-443e-8b9a-af868976452d Summary SELinux is preventing /usr/sbin/named (named_t) "read" access to random (tmpfs_t).
Detailed Description SELinux denied access requested by /usr/sbin/named. It is not expected that this access is required by /usr/sbin/named and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for random, restorecon -v random. There is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can disable SELinux protection entirely for the application. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Changing the "named_disable_trans" boolean to true will disable SELinux protection this application: "setsebool -P named_disable_trans=1."
The following command will allow this access: setsebool -P named_disable_trans=1
Additional Information
Source Context user_u:system_r:named_t Target Context system_u:object_r:tmpfs_t Target Objects random [ chr_file ] Affected RPM Packages bind-9.3.3-7.el5 [application] Policy RPM selinux-policy-2.4.6-30.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name plugins.disable_trans Host Name sunspot Platform Linux sunspot 2.6.18-8.el5 #1 SMP Thu Mar 15 19:57:35 EDT 2007 i686 athlon Alert Count 12 Line Numbers
Raw Audit Messages
avc: denied { read } for comm="named" dev=dm-0 egid=25 euid=25 exe="/usr/sbin/named" exit=9 fsgid=25 fsuid=25 gid=25 items=0 name="random" pid=15327 scontext=user_u:system_r:named_t:s0 sgid=25 subj=user_u:system_r:named_t:s0 suid=25 tclass=chr_file tcontext=system_u:object_r:tmpfs_t:s0 tty=(none) uid=25
=============================================
[root@sunspot ray]# sealert -l b7014747-0d8d-443e-8b9a-af868976452d Summary SELinux is preventing /usr/sbin/named (named_t) "read" access to random (tmpfs_t).
Detailed Description SELinux denied access requested by /usr/sbin/named. It is not expected that this access is required by /usr/sbin/named and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for random, restorecon -v random. There is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can disable SELinux protection entirely for the application. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Changing the "named_disable_trans" boolean to true will disable SELinux protection this application: "setsebool -P named_disable_trans=1."
The following command will allow this access: setsebool -P named_disable_trans=1
Additional Information
Source Context user_u:system_r:named_t Target Context system_u:object_r:tmpfs_t Target Objects random [ chr_file ] Affected RPM Packages bind-9.3.3-7.el5 [application] Policy RPM selinux-policy-2.4.6-30.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name plugins.disable_trans Host Name sunspot Platform Linux sunspot 2.6.18-8.el5 #1 SMP Thu Mar 15 19:57:35 EDT 2007 i686 athlon Alert Count 12 Line Numbers
Raw Audit Messages
avc: denied { read } for comm="named" dev=dm-0 egid=25 euid=25 exe="/usr/sbin/named" exit=9 fsgid=25 fsuid=25 gid=25 items=0 name="random" pid=15327 scontext=user_u:system_r:named_t:s0 sgid=25 subj=user_u:system_r:named_t:s0 suid=25 tclass=chr_file tcontext=system_u:object_r:tmpfs_t:s0 tty=(none) uid=25
-
Craig White -
Ray Leventhal -
Robert Spangler