-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David P. Quigley wrote: > I'm pretty sure this doesn't have anything to do with the kernel end but > is probably some sort of policy issue instead. I've CCed the > fedora-selinux list for an answer. The CC to linux-kernel should > probably be dropped from the reply there. > > Dave > > On Thu, 2008-09-11 at 17:34 +0200, Enrique Perez-Terron wrote: >> Fedora core 9 stock kernel 2.6.25.108 i586 >> >> Udp bind() fails with EACCESS when selinux enforcing, but no audit >> messages. >> >> How to reproduce: >> >> In startup scripts, configure rpc.statd to use the fixed port 34. >> This port does not occur in /etc/services >> (In /etc/sysconfig/nfs, STATD_PORT=34) >> >> Write the following script, run it with bash -x. >> >> #!/bin/bash >> >> TESTDIR=/var/tmp/se-bind-test-$$ >> mkdir $TESTDIR # to hold about 50 files >> cd $TESTDIR >> >> # Stop NFS: >> service nfs stop >> service nfslock stop >> >> # Gather some baseline data for easy comparison >> echo 1 /selinux/enforce # just in case >> dmesg > dmesg-enforc-before >> wc /var/log/audit/audit.log > audit-enforc-before >> >> # This fails >> strace -o enforc -ff service nfslock start >> >> # But no new messages in logs >> dmesg > dmesg-enforc-after >> wc /var/log/audit/audit.log > audit-enforc-after >> >> # Try again in permissive mode >> echo 0 /selinux/enforce >> dmesg > dmesg-nonenf-before >> wc /var/log/audit/audit.log > audit-nonenf-before >> >> # Since this works, daemon starts, and strace hangs on >> # Need sigkill; sigint does not work. Why? >> (sleep 5; killall -9 strace) & >> strace -o nonenf -ff service nfslock start >> >> # Just for symmetry >> dmesg > dmesg-nonenf-after >> wc /var/log/audit/audit.log > audit-nonenf-after >> >> # Check that there are no audits. >> diff dmesg-enforc-before dmesg-enforc-after >> diff audit-enforc-before audit-enforc-after >> >> # There are several other calls to bind() that are not prevented >> grep -E '^bind|^socket' enforc.* >> grep -E '^bind|^socket' nonenf.* >> >> Regards >> >> -- >> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in >> the body of a message to majordomo@xxxxxxxxxxxxxxx >> More majordomo info at http://vger.kernel.org/majordomo-info.html >> Please read the FAQ at http://www.tux.org/lkml/ > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list semodule -DB Will remove all dontaudit rules. Then run your service script. semodule -B Will put them back. You have yum -y upgrade selinux-policy\* -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkjJYWYACgkQrlYvE4MpobMzAACfVTPibwI01dcnZAc+R8mB1bAE XNMAn00pwIPWDJ8o5THRmPY4AHhbsmhS =Jtrn -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
