On 09/25/2011 10:10 AM, Dominick Grift wrote: > On Sat, 2011-09-24 at 19:45 -0700, David Highley wrote: >> "Dominick Grift wrote:" >>> >>> --===============4683794954818469668== >>> Content-Type: multipart/signed; micalg="pgp-sha512"; >>> protocol="application/pgp-signature"; boundary="=-W/U2hq2saAQVGsubU72y" >>> >>> >>> --=-W/U2hq2saAQVGsubU72y >>> Content-Type: text/plain; charset="UTF-8" >>> Content-Transfer-Encoding: quoted-printable >>> >>> On Fri, 2011-09-23 at 20:10 -0700, David Highley wrote: >>>> I checked bugzilla but did not see anything about this list of avc >>>> alerts for fedora 16. Should they be reported or is something miss >>>> configured? >>>> =20 >>>> =20 >>> sesebool-P allow_ypbind on >> The bool gets turned off in the reboot process. > Thats strange, is systemd turning it back off? > >> It solves almost all the >> avc issues but a few remained which were solved with this policy file: >> module mysystemd 1.0; >> >> require { >> type systemd_logind_t; >> type var_yp_t; >> type node_t; >> type hi_reserved_port_t; >> class udp_socket { name_bind bind create setopt node_bind }; >> class file { read open }; >> } >> >> #============= systemd_logind_t ============== >> allow systemd_logind_t hi_reserved_port_t:udp_socket name_bind; >> allow systemd_logind_t node_t:udp_socket node_bind; >> allow systemd_logind_t self:udp_socket { bind create setopt }; >> allow systemd_logind_t var_yp_t:file { read open }; > This is likely a bug, Could you file a bugzilla for the above? Yes, please, open a new bug. Thank you. Regards, Miroslav > >> We also need to do a systemctl restart autofs.service after boot up. We >> use NIS and auto mounted home directories. >> >>> should fix it. if it does than this should not be reported >>> >>> There is a way to check whether a specified AVC denial can be allowed, >>> for example your first avc denial: >>> >>>> #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D accountsd_t =3D=3D=3D=3D=3D=3D= >>> =3D=3D=3D=3D=3D=3D=3D=3D >>>> #!!!! This avc is allowed in the current policy >>>> =20 >>>> allow accountsd_t hi_reserved_port_t:tcp_socket name_bind; >>>> #!!!! This avc is allowed in the current policy >>> # sesearch -SCT --allow -s accountsd_t -t hi_reserved_port_t -c >>> tcp_socket -p name_bind >>> >>> Found 1 semantic av rules: >>> DT allow nsswitch_domain rpc_port_type : tcp_socket name_bind ; >>> [ allow_ypbind ] >>> >>> This tells me that this access can be allowed by toggling the >>> allow_ypbind boolean to enabled. The DT tells me that this boolean is >>> currently disabled. >>> >>>> allow accountsd_t portmap_port_t:tcp_socket name_connect; >>>> #!!!! This avc is allowed in the current policy >>>> =20 >>>> allow accountsd_t var_yp_t:dir search; >>>> =20 >>>> #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D automount_t =3D=3D=3D=3D=3D=3D= >>> =3D=3D=3D=3D=3D=3D=3D=3D >>>> #!!!! This avc is allowed in the current policy >>>> =20 >>>> allow automount_t var_yp_t:file read; >>>> =20 >>>> #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D policykit_t =3D=3D=3D=3D=3D=3D= >>> =3D=3D=3D=3D=3D=3D=3D=3D >>>> #!!!! This avc is allowed in the current policy >>>> =20 >>>> allow policykit_t hi_reserved_port_t:tcp_socket name_bind; >>>> #!!!! This avc is allowed in the current policy >>>> =20 >>>> allow policykit_t kerberos_port_t:tcp_socket name_bind; >>>> #!!!! This avc is allowed in the current policy >>>> =20 >>>> allow policykit_t kprop_port_t:tcp_socket name_bind; >>>> #!!!! This avc is allowed in the current policy >>>> =20 >>>> allow policykit_t portmap_port_t:tcp_socket name_connect; >>>> #!!!! This avc is allowed in the current policy >>>> =20 >>>> allow policykit_t var_yp_t:dir search; >>>> =20 >>>> #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D sshd_t =3D=3D=3D=3D=3D=3D=3D=3D= >>> =3D=3D=3D=3D=3D=3D >>>> #!!!! This avc is allowed in the current policy >>>> =20 >>>> allow sshd_t ftp_port_t:tcp_socket name_bind; >>>> #!!!! This avc is allowed in the current policy >>>> =20 >>>> allow sshd_t hi_reserved_port_t:tcp_socket name_bind; >>>> #!!!! This avc is allowed in the current policy >>>> =20 >>>> allow sshd_t hi_reserved_port_t:udp_socket name_bind; >>>> #!!!! This avc is allowed in the current policy >>>> =20 >>>> allow sshd_t spamd_port_t:tcp_socket name_bind; >>>> #!!!! This avc is allowed in the current policy >>>> =20 >>>> allow sshd_t var_yp_t:dir search; >>>> =20 >>>> #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D system_dbusd_t =3D=3D=3D=3D=3D= >>> =3D=3D=3D=3D=3D=3D=3D=3D=3D >>>> #!!!! This avc is allowed in the current policy >>>> =20 >>>> allow system_dbusd_t hi_reserved_port_t:tcp_socket name_bind; >>>> #!!!! This avc is allowed in the current policy >>>> =20 >>>> allow system_dbusd_t portmap_port_t:tcp_socket name_connect; >>>> #!!!! This avc is allowed in the current policy >>>> =20 >>>> allow system_dbusd_t rndc_port_t:tcp_socket name_bind; >>>> =20 >>>> #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D xdm_dbusd_t =3D=3D=3D=3D=3D=3D= >>> =3D=3D=3D=3D=3D=3D=3D=3D >>>> #!!!! This avc is allowed in the current policy >>>> =20 >>>> allow xdm_dbusd_t hi_reserved_port_t:tcp_socket name_bind; >>>> #!!!! This avc is allowed in the current policy >>>> =20 >>>> allow xdm_dbusd_t portmap_port_t:tcp_socket name_connect; >>>> -- >>>> selinux mailing list >>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>> >>> --=-W/U2hq2saAQVGsubU72y >>> Content-Type: application/pgp-signature; name="signature.asc" >>> Content-Description: This is a digitally signed message part >>> Content-Transfer-Encoding: 7bit >>> >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v1.4.11 (GNU/Linux) >>> >>> iQIcBAABCgAGBQJOfabTAAoJEBqhFeh0z2SRaEwQAIuB5ZFYNJqlBCsaE7HYaYuP >>> pugsjSpzeQheJQC/i2Qa6BCLIKNiLmlkc3J5jBf4msvw3JTfLzgyWJCgo5gQBkLv >>> y5JeRd81fgtEzhIIeS2Bg3J/HfXVcxmaAAvSXHvo4DQk7L+STT7ikCfsekPshOvP >>> Y+8hOp/24IGm+wsteUMYGZy+JAHsDmSVGyGKMjo881cyCSclInwkoDTUDCv8vm+i >>> 3qUs04ahfkfiBlpAH9a0SoVA9Tbnw5N1kbbvY3Up1qqvwtSXIMz2yfAB2uLQ9uBw >>> NB0xzpYoBl6b3WLLBx/1DiZG0tmZbJ9q7bLGf22/5V1FArH2FpQ0MAPYxLtby/9x >>> iOQiBdDKyAinz4EBMcGmB6B9M+YQROTtrMoTHm5J19J6e46vgt/vvfRcPJYna8DL >>> gtHMQroB9Ky/yCHiG2nxsvoNDi7OUw5TX344px4hFDR2wESdrJ8wV9mIhjgwIsjB >>> uQWJ4IIbYxJzJ578Le5dEWs9cfNqdEAPm24j9BPWo4VNyUL/ck3LRF/VdiW6rzF9 >>> fA66bPW2pqe15wpOtR831rO6PQN6Zdne6s+qRQYTu5IiRKINDi4HYe+dAzJzAuel >>> avVkH84mznAy2wvoNYX5gvaeVBAE8ZqxMZOzF8cSnqCu+RZ+N/bj53XVN9Wsc9bU >>> qFJjNtZOZfKswyZUYHSk >>> =+k0S >>> -----END PGP SIGNATURE----- >>> >>> --=-W/U2hq2saAQVGsubU72y-- >>> >>> >>> --===============4683794954818469668== >>> Content-Type: text/plain; charset="us-ascii" >>> MIME-Version: 1.0 >>> Content-Transfer-Encoding: 7bit >>> Content-Disposition: inline >>> >>> -- >>> selinux mailing list >>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>> --===============4683794954818469668==-- >>> >> > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux