Bug ID 671337: NetHSM DNSSEC key creation can attempt to change the SELinux label on a file

Last Modified: Nov 07, 2022

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3,,,,,

Fixed In:

Opened: Jun 27, 2017

Severity: 3-Major


A log message such as type=AVC msg=audit(1498506868.354:3786): avc: denied { relabelfrom } for pid=7567 comm="mv" name="_Common_zsk_127000B6DC9454EACB50A1FD2073C5F5314F.key" dev="dm-15" ino=80012 scontext=system_u:system_r:mcpd_t:s0 tcontext=system_u:object_r:mcpd_tmp_t:s0 tclass=file can appear in the logs.


SELinux error will be logged


When a NetHSM DNSSEC key is created in a temporary directory and is trying to change the SELinux label on a file without permissions.



Fix Information

Allow netHSM script via MCPd to relabel files

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips