Re: F12/3: SELinux is preventing /usr/bin/perl from binding to port XXXXX

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 08/18/2010 01:30 AM, Daniel B. Thurman wrote:
> 
> So how do I resolve this?
> 
> 
> node=(removed) type=AVC msg=audit(1282086325.907:81309): avc:  denied  {
> name_bind } for  pid=23536 comm="spamassassin" src=32726
> scontext=system_u:system_r:spamc_t:s0
> tcontext=system_u:object_r:port_t:s0 tclass=udp_socket

It kind of depends in my view. Here the spamassassin client app tries to
bind udp socket to port 32726.

Port udp:32726 is currently "unlabeled".

The question we have to ask first is: is this a random port that
spamassassin is binding udp sockets to? Or is it always the same port?

If  it is a random port, then i think we probably need to give the
spamassassin client access to bind udp sockets to generic ports.

Looking in the policy source, i see similar allowed for spamassassin_t:

<snip>
> 	corenet_udp_bind_generic_node(spamassassin_t)
> 	corenet_udp_bind_generic_port(spamassassin_t)
> 	corenet_sendrecv_generic_server_packets(spamassassin_t)
> 	corenet_dontaudit_udp_bind_all_ports(spamassassin_t)

So you could implement an identical solution for spamc_t like so:

mkdir ~/myspamc; cd ~/myspamc;

echo "policy_module(myspamc, 1.0.0)" > myspamc.te;
echo "gen_require(\`" >> myspamc.te;
echo "type spamc_t;" >> myspamc.te;
echo "')" >> myspamc.te;
echo "corenet_udp_bind_generic_node(spamc_t)" >> myspamc.te;
echo "corenet_udp_bind_generic_port(spamc_t)" >> myspamc.te;
echo "corenet_sendrecv_generic_server_packets(spamc_t)" >> myspamc.te;
echo "corenet_dontaudit_udp_bind_all_ports(spamc_t)" >> myspamc.te;

make -f /usr/share/selinux/devel/Makefile myspamc.pp
sudo semodule -i myspamc.pp

This will allow spamc_t (/usr/bin/spamassassin) to bind udp sockets to
ports with the generic port_t type.

It will silently deny spamc_t trying to bind udp sockets to all other
port types.

> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux

Attachment: signature.asc
Description: OpenPGP digital signature

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux