On Fri, 2011-09-23 at 20:10 -0700, David Highley wrote: > I checked bugzilla but did not see anything about this list of avc > alerts for fedora 16. Should they be reported or is something miss > configured? > > sesebool-P allow_ypbind on should fix it. if it does than this should not be reported There is a way to check whether a specified AVC denial can be allowed, for example your first avc denial: > #============= accountsd_t ============== > #!!!! This avc is allowed in the current policy > > allow accountsd_t hi_reserved_port_t:tcp_socket name_bind; > #!!!! This avc is allowed in the current policy # sesearch -SCT --allow -s accountsd_t -t hi_reserved_port_t -c tcp_socket -p name_bind Found 1 semantic av rules: DT allow nsswitch_domain rpc_port_type : tcp_socket name_bind ; [ allow_ypbind ] This tells me that this access can be allowed by toggling the allow_ypbind boolean to enabled. The DT tells me that this boolean is currently disabled. > allow accountsd_t portmap_port_t:tcp_socket name_connect; > #!!!! This avc is allowed in the current policy > > allow accountsd_t var_yp_t:dir search; > > #============= automount_t ============== > #!!!! This avc is allowed in the current policy > > allow automount_t var_yp_t:file read; > > #============= policykit_t ============== > #!!!! This avc is allowed in the current policy > > allow policykit_t hi_reserved_port_t:tcp_socket name_bind; > #!!!! This avc is allowed in the current policy > > allow policykit_t kerberos_port_t:tcp_socket name_bind; > #!!!! This avc is allowed in the current policy > > allow policykit_t kprop_port_t:tcp_socket name_bind; > #!!!! This avc is allowed in the current policy > > allow policykit_t portmap_port_t:tcp_socket name_connect; > #!!!! This avc is allowed in the current policy > > allow policykit_t var_yp_t:dir search; > > #============= sshd_t ============== > #!!!! This avc is allowed in the current policy > > allow sshd_t ftp_port_t:tcp_socket name_bind; > #!!!! This avc is allowed in the current policy > > allow sshd_t hi_reserved_port_t:tcp_socket name_bind; > #!!!! This avc is allowed in the current policy > > allow sshd_t hi_reserved_port_t:udp_socket name_bind; > #!!!! This avc is allowed in the current policy > > allow sshd_t spamd_port_t:tcp_socket name_bind; > #!!!! This avc is allowed in the current policy > > allow sshd_t var_yp_t:dir search; > > #============= system_dbusd_t ============== > #!!!! This avc is allowed in the current policy > > allow system_dbusd_t hi_reserved_port_t:tcp_socket name_bind; > #!!!! This avc is allowed in the current policy > > allow system_dbusd_t portmap_port_t:tcp_socket name_connect; > #!!!! This avc is allowed in the current policy > > allow system_dbusd_t rndc_port_t:tcp_socket name_bind; > > #============= xdm_dbusd_t ============== > #!!!! This avc is allowed in the current policy > > allow xdm_dbusd_t hi_reserved_port_t:tcp_socket name_bind; > #!!!! This avc is allowed in the current policy > > allow xdm_dbusd_t portmap_port_t:tcp_socket name_connect; > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
signature.asc
Description: This is a digitally signed message part
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
