Bug ID 671337: NetHSM DNSSEC key creation can attempt to change the SELinux label on a file

Last Modified: Oct 01, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5

Fixed In:
13.1.0, 12.1.3.6

Opened: Jun 27, 2017
Severity: 3-Major

Symptoms

A log message such as type=AVC msg=audit(1498506868.354:3786): avc: denied { relabelfrom } for pid=7567 comm="mv" name="_Common_zsk_127000B6DC9454EACB50A1FD2073C5F5314F.key" dev="dm-15" ino=80012 scontext=system_u:system_r:mcpd_t:s0 tcontext=system_u:object_r:mcpd_tmp_t:s0 tclass=file can appear in the logs.

Impact

SELinux error will be logged

Conditions

When a NetHSM DNSSEC key is created in a temporary directory and is trying to change the SELinux label on a file without permissions.

Workaround

None

Fix Information

Allow netHSM script via MCPd to relabel files

Behavior Change