Re: List of avc for fedora 16

Dominick Grift <dominick.grift@xxxxxxxxx> · Sun, 25 Sep 2011 10:10:29 +0200

On Sat, 2011-09-24 at 19:45 -0700, David Highley wrote:
> "Dominick Grift wrote:"
> > 
> > 
> > --===============4683794954818469668==
> > Content-Type: multipart/signed; micalg="pgp-sha512";
> > 	protocol="application/pgp-signature"; boundary="=-W/U2hq2saAQVGsubU72y"
> > 
> > 
> > --=-W/U2hq2saAQVGsubU72y
> > Content-Type: text/plain; charset="UTF-8"
> > Content-Transfer-Encoding: quoted-printable
> > 
> > On Fri, 2011-09-23 at 20:10 -0700, David Highley wrote:
> > > I checked bugzilla but did not see anything about this list of avc
> > > alerts for fedora 16. Should they be reported or is something miss
> > > configured?
> > >=20
> > >=20
> > 
> > sesebool-P allow_ypbind on
> 
> The bool gets turned off in the reboot process. 

Thats strange, is systemd turning it back off? 

> It solves almost all the
> avc issues but a few remained which were solved with this policy file:
> module mysystemd 1.0;
> 
> require {
>         type systemd_logind_t;
>         type var_yp_t;
>         type node_t;
>         type hi_reserved_port_t;
>         class udp_socket { name_bind bind create setopt node_bind };
>         class file { read open };
> }
> 
> #============= systemd_logind_t ==============
> allow systemd_logind_t hi_reserved_port_t:udp_socket name_bind;
> allow systemd_logind_t node_t:udp_socket node_bind;
> allow systemd_logind_t self:udp_socket { bind create setopt };
> allow systemd_logind_t var_yp_t:file { read open };

This is likely a bug, Could you file a bugzilla for the above?

> We also need to do a systemctl restart autofs.service after boot up. We
> use NIS and auto mounted home directories.
> 

> > should fix it. if it does than this should not be reported
> > 
> > There is a way to check whether a specified AVC denial can be allowed,
> > for example your first avc denial:
> > 
> > > #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D accountsd_t =3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D
> > > #!!!! This avc is allowed in the current policy
> > >=20
> > > allow accountsd_t hi_reserved_port_t:tcp_socket name_bind;
> > > #!!!! This avc is allowed in the current policy
> > 
> > # sesearch -SCT --allow -s accountsd_t -t hi_reserved_port_t -c
> > tcp_socket -p name_bind
> > 
> > Found 1 semantic av rules:
> > DT allow nsswitch_domain rpc_port_type : tcp_socket name_bind ;
> > [ allow_ypbind ]
> > 
> > This tells me that this access can be allowed by toggling the
> > allow_ypbind boolean to enabled. The DT tells me that this boolean is
> > currently disabled.
> > 
> > > allow accountsd_t portmap_port_t:tcp_socket name_connect;
> > > #!!!! This avc is allowed in the current policy
> > >=20
> > > allow accountsd_t var_yp_t:dir search;
> > >=20
> > > #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D automount_t =3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D
> > > #!!!! This avc is allowed in the current policy
> > >=20
> > > allow automount_t var_yp_t:file read;
> > >=20
> > > #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D policykit_t =3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D
> > > #!!!! This avc is allowed in the current policy
> > >=20
> > > allow policykit_t hi_reserved_port_t:tcp_socket name_bind;
> > > #!!!! This avc is allowed in the current policy
> > >=20
> > > allow policykit_t kerberos_port_t:tcp_socket name_bind;
> > > #!!!! This avc is allowed in the current policy
> > >=20
> > > allow policykit_t kprop_port_t:tcp_socket name_bind;
> > > #!!!! This avc is allowed in the current policy
> > >=20
> > > allow policykit_t portmap_port_t:tcp_socket name_connect;
> > > #!!!! This avc is allowed in the current policy
> > >=20
> > > allow policykit_t var_yp_t:dir search;
> > >=20
> > > #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D sshd_t =3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D
> > > #!!!! This avc is allowed in the current policy
> > >=20
> > > allow sshd_t ftp_port_t:tcp_socket name_bind;
> > > #!!!! This avc is allowed in the current policy
> > >=20
> > > allow sshd_t hi_reserved_port_t:tcp_socket name_bind;
> > > #!!!! This avc is allowed in the current policy
> > >=20
> > > allow sshd_t hi_reserved_port_t:udp_socket name_bind;
> > > #!!!! This avc is allowed in the current policy
> > >=20
> > > allow sshd_t spamd_port_t:tcp_socket name_bind;
> > > #!!!! This avc is allowed in the current policy
> > >=20
> > > allow sshd_t var_yp_t:dir search;
> > >=20
> > > #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D system_dbusd_t =3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D
> > > #!!!! This avc is allowed in the current policy
> > >=20
> > > allow system_dbusd_t hi_reserved_port_t:tcp_socket name_bind;
> > > #!!!! This avc is allowed in the current policy
> > >=20
> > > allow system_dbusd_t portmap_port_t:tcp_socket name_connect;
> > > #!!!! This avc is allowed in the current policy
> > >=20
> > > allow system_dbusd_t rndc_port_t:tcp_socket name_bind;
> > >=20
> > > #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D xdm_dbusd_t =3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D
> > > #!!!! This avc is allowed in the current policy
> > >=20
> > > allow xdm_dbusd_t hi_reserved_port_t:tcp_socket name_bind;
> > > #!!!! This avc is allowed in the current policy
> > >=20
> > > allow xdm_dbusd_t portmap_port_t:tcp_socket name_connect;
> > > --
> > > selinux mailing list
> > > selinux@xxxxxxxxxxxxxxxxxxxxxxx
> > > https://admin.fedoraproject.org/mailman/listinfo/selinux
> > 
> > 
> > --=-W/U2hq2saAQVGsubU72y
> > Content-Type: application/pgp-signature; name="signature.asc"
> > Content-Description: This is a digitally signed message part
> > Content-Transfer-Encoding: 7bit
> > 
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.11 (GNU/Linux)
> > 
> > iQIcBAABCgAGBQJOfabTAAoJEBqhFeh0z2SRaEwQAIuB5ZFYNJqlBCsaE7HYaYuP
> > pugsjSpzeQheJQC/i2Qa6BCLIKNiLmlkc3J5jBf4msvw3JTfLzgyWJCgo5gQBkLv
> > y5JeRd81fgtEzhIIeS2Bg3J/HfXVcxmaAAvSXHvo4DQk7L+STT7ikCfsekPshOvP
> > Y+8hOp/24IGm+wsteUMYGZy+JAHsDmSVGyGKMjo881cyCSclInwkoDTUDCv8vm+i
> > 3qUs04ahfkfiBlpAH9a0SoVA9Tbnw5N1kbbvY3Up1qqvwtSXIMz2yfAB2uLQ9uBw
> > NB0xzpYoBl6b3WLLBx/1DiZG0tmZbJ9q7bLGf22/5V1FArH2FpQ0MAPYxLtby/9x
> > iOQiBdDKyAinz4EBMcGmB6B9M+YQROTtrMoTHm5J19J6e46vgt/vvfRcPJYna8DL
> > gtHMQroB9Ky/yCHiG2nxsvoNDi7OUw5TX344px4hFDR2wESdrJ8wV9mIhjgwIsjB
> > uQWJ4IIbYxJzJ578Le5dEWs9cfNqdEAPm24j9BPWo4VNyUL/ck3LRF/VdiW6rzF9
> > fA66bPW2pqe15wpOtR831rO6PQN6Zdne6s+qRQYTu5IiRKINDi4HYe+dAzJzAuel
> > avVkH84mznAy2wvoNYX5gvaeVBAE8ZqxMZOzF8cSnqCu+RZ+N/bj53XVN9Wsc9bU
> > qFJjNtZOZfKswyZUYHSk
> > =+k0S
> > -----END PGP SIGNATURE-----
> > 
> > --=-W/U2hq2saAQVGsubU72y--
> > 
> > 
> > --===============4683794954818469668==
> > Content-Type: text/plain; charset="us-ascii"
> > MIME-Version: 1.0
> > Content-Transfer-Encoding: 7bit
> > Content-Disposition: inline
> > 
> > --
> > selinux mailing list
> > selinux@xxxxxxxxxxxxxxxxxxxxxxx
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> > --===============4683794954818469668==--
> > 
> 
> 

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux