Re: use can_network_XXX() in inetd.te, ssh.te, rhgb.te, rpcd.te...?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Tom London wrote:

Running strict/enforcing off of latest Rawhide

Several problems after latest update,
mostly like:

Nov 30 20:14:43 fedora kernel: audit(1101874483.584:0): avc: denied { accept } for pid=3656 exe=/usr/sbin/sshd lport=22
scontext=root:system_r:sshd_t tcontext=root:system_r:sshd_t
tclass=tcp_socket


or

Nov 30 19:17:04 fedora kernel: audit(1101871024.847:0): avc: denied { listen } for pid=2251 exe=/usr/sbin/xinetd lport=113
scontext=system_u:system_r:inetd_t tcontext=system_u:system_r:inetd_t
tclass=tcp_socket
Nov 30 19:17:04 fedora xinetd[2251]: service auth, accept: Permission
denied (errno = 13)


or

Nov 30 19:16:51 fedora kernel: audit(1101871006.547:0): avc: denied { listen } for pid=1959 exe=/sbin/rpc.statd lport=32768
scontext=system_u:system_r:rpcd_t tcontext=system_u:system_r:rpcd_t
tclass=tcp_socket


or

Nov 30 19:42:36 fedora kernel: audit(1101843722.414:0): avc: denied { connect } for pid=1198 exe=/usr/bin/rhgb
scontext=system_u:system_r:rhgb_t tcontext=system_u:system_r:rhgb_t
tclass=tcp_socket
Nov 30 19:42:36 fedora kernel: audit(1101843722.421:0): avc: denied { connect } for pid=1198 exe=/usr/bin/rhgb
scontext=system_u:system_r:rhgb_t tcontext=system_u:system_r:rhgb_t
tclass=tcp_socket


etc.

I added something like 'allow XXX self:tcp_socket {listen accept}'
or 'allow XXX self:tcp_socket {connect}'
to get the daemons up and running, but shouldn't
these guys use the can_network_tcp(), can_network_client(),
or can_network_server()?

Are patches needed, or is this in the works?

tom


Yes patches are in the work. You can drop them to can_network() to get the full functionality.
I will put up a fixed policy on ftp://people.redhat.com/dwalsh/SELinux/Fedora
Dan



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux