On Fri, Jul 11, 2008 at 08:26:53AM +0200, Martin Godisch wrote:
> bind9 security update 9.3.4-2etch3 breaks named running in a selinux
> enabled (enforcing) environment:
>
> audit(1215756426.448:248): avc: denied { name_bind } for pid=16218
> comm="named" src=12949 scontext=user_u:system_r:named_t:s0
> tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
>
> I think you need to add corenet_udp_bind_generic_port(named_t) to the
> selinux policy (or revert the security update).This is a known issue -- we're planning to make a couple of announcements with a recommended workaround (attached, but pretty much the same as what you suggest), and try to get it into the next stable point release. -- Devin \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2
policy_module(bind_debian_security_update, 1.0);
gen_require(`
type named_t;
')
corenet_udp_bind_all_ports(named_t)
# this won't work with the refpolicy in etch, but is correct for later versions:
# corenet_udp_bind_all_unreserved_ports(named_t)
signature.asc
Description: Digital signature
