Last Modified: Mar 30, 2024
Affected Product(s):
BIG-IP DNS
Fixed In:
17.1.0, 16.1.4
Opened: Sep 20, 2021 Severity: 3-Major
You can observe the following avc error logs when the gtmd process tries to interact with internal FIPS card for DNSSEC key and signature creation: type=AVC msg=audit(1662044427.707:3960): avc: denied { create } for pid=39483 comm="gtmd" scontext=system_u:system_r:gtmd_t:s0 tcontext=system_u:system_r:gtmd_t:s0 tclass=netlink_route_socket type=AVC msg=audit(1662044427.709:3961): avc: denied { search } for pid=39483 comm="gtmd" name="gtmd" dev="dm-20" ino=188725 scontext=system_u:system_r:gtmd_t:s0 tcontext=system_u:object_r:svc_svc_t:s0 tclass=dir type=AVC msg=audit(1662044428.113:3962): avc: denied { create } for pid=39483 comm="gtmd" scontext=system_u:system_r:gtmd_t:s0 tcontext=system_u:system_r:gtmd_t:s0 tclass=netlink_route_socket type=AVC msg=audit(1662044428.114:3963): avc: denied { search } for pid=39483 comm="gtmd" name="gtmd" dev="dm-20" ino=188725 scontext=system_u:system_r:gtmd_t:s0 tcontext=system_u:object_r:svc_svc_t:s0 tclass=dir
No Impact to DNSSEC deployment but gtmd throws SELinux errors.
- Internal FIPS card present with FIPS 140-3 supported devices. - DNSSEC Key and signature creation using internal keys.
None
None