Tom London wrote:
Yes patches are in the work. You can drop them to can_network() to get the full functionality.Running strict/enforcing off of latest Rawhide
Several problems after latest update, mostly like:
Nov 30 20:14:43 fedora kernel: audit(1101874483.584:0): avc: denied { accept } for pid=3656 exe=/usr/sbin/sshd lport=22
scontext=root:system_r:sshd_t tcontext=root:system_r:sshd_t
tclass=tcp_socket
or
Nov 30 19:17:04 fedora kernel: audit(1101871024.847:0): avc: denied { listen } for pid=2251 exe=/usr/sbin/xinetd lport=113
scontext=system_u:system_r:inetd_t tcontext=system_u:system_r:inetd_t
tclass=tcp_socket
Nov 30 19:17:04 fedora xinetd[2251]: service auth, accept: Permission
denied (errno = 13)
or
Nov 30 19:16:51 fedora kernel: audit(1101871006.547:0): avc: denied { listen } for pid=1959 exe=/sbin/rpc.statd lport=32768
scontext=system_u:system_r:rpcd_t tcontext=system_u:system_r:rpcd_t
tclass=tcp_socket
or
Nov 30 19:42:36 fedora kernel: audit(1101843722.414:0): avc: denied { connect } for pid=1198 exe=/usr/bin/rhgb
scontext=system_u:system_r:rhgb_t tcontext=system_u:system_r:rhgb_t
tclass=tcp_socket
Nov 30 19:42:36 fedora kernel: audit(1101843722.421:0): avc: denied { connect } for pid=1198 exe=/usr/bin/rhgb
scontext=system_u:system_r:rhgb_t tcontext=system_u:system_r:rhgb_t
tclass=tcp_socket
etc.
I added something like 'allow XXX self:tcp_socket {listen accept}' or 'allow XXX self:tcp_socket {connect}' to get the daemons up and running, but shouldn't these guys use the can_network_tcp(), can_network_client(), or can_network_server()?
Are patches needed, or is this in the works?
tom
I will put up a fixed policy on ftp://people.redhat.com/dwalsh/SELinux/Fedora
Dan
