On 09/25/2011 10:10 AM, Dominick Grift wrote:
> On Sat, 2011-09-24 at 19:45 -0700, David Highley wrote:
>> "Dominick Grift wrote:"
>>>
>>> --===============4683794954818469668==
>>> Content-Type: multipart/signed; micalg="pgp-sha512";
>>> protocol="application/pgp-signature"; boundary="=-W/U2hq2saAQVGsubU72y"
>>>
>>>
>>> --=-W/U2hq2saAQVGsubU72y
>>> Content-Type: text/plain; charset="UTF-8"
>>> Content-Transfer-Encoding: quoted-printable
>>>
>>> On Fri, 2011-09-23 at 20:10 -0700, David Highley wrote:
>>>> I checked bugzilla but did not see anything about this list of avc
>>>> alerts for fedora 16. Should they be reported or is something miss
>>>> configured?
>>>> =20
>>>> =20
>>> sesebool-P allow_ypbind on
>> The bool gets turned off in the reboot process.
> Thats strange, is systemd turning it back off?
>
>> It solves almost all the
>> avc issues but a few remained which were solved with this policy file:
>> module mysystemd 1.0;
>>
>> require {
>> type systemd_logind_t;
>> type var_yp_t;
>> type node_t;
>> type hi_reserved_port_t;
>> class udp_socket { name_bind bind create setopt node_bind };
>> class file { read open };
>> }
>>
>> #============= systemd_logind_t ==============
>> allow systemd_logind_t hi_reserved_port_t:udp_socket name_bind;
>> allow systemd_logind_t node_t:udp_socket node_bind;
>> allow systemd_logind_t self:udp_socket { bind create setopt };
>> allow systemd_logind_t var_yp_t:file { read open };
> This is likely a bug, Could you file a bugzilla for the above?
Yes, please, open a new bug. Thank you.
Regards,
Miroslav
>
>> We also need to do a systemctl restart autofs.service after boot up. We
>> use NIS and auto mounted home directories.
>>
>>> should fix it. if it does than this should not be reported
>>>
>>> There is a way to check whether a specified AVC denial can be allowed,
>>> for example your first avc denial:
>>>
>>>> #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D accountsd_t =3D=3D=3D=3D=3D=3D=
>>> =3D=3D=3D=3D=3D=3D=3D=3D
>>>> #!!!! This avc is allowed in the current policy
>>>> =20
>>>> allow accountsd_t hi_reserved_port_t:tcp_socket name_bind;
>>>> #!!!! This avc is allowed in the current policy
>>> # sesearch -SCT --allow -s accountsd_t -t hi_reserved_port_t -c
>>> tcp_socket -p name_bind
>>>
>>> Found 1 semantic av rules:
>>> DT allow nsswitch_domain rpc_port_type : tcp_socket name_bind ;
>>> [ allow_ypbind ]
>>>
>>> This tells me that this access can be allowed by toggling the
>>> allow_ypbind boolean to enabled. The DT tells me that this boolean is
>>> currently disabled.
>>>
>>>> allow accountsd_t portmap_port_t:tcp_socket name_connect;
>>>> #!!!! This avc is allowed in the current policy
>>>> =20
>>>> allow accountsd_t var_yp_t:dir search;
>>>> =20
>>>> #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D automount_t =3D=3D=3D=3D=3D=3D=
>>> =3D=3D=3D=3D=3D=3D=3D=3D
>>>> #!!!! This avc is allowed in the current policy
>>>> =20
>>>> allow automount_t var_yp_t:file read;
>>>> =20
>>>> #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D policykit_t =3D=3D=3D=3D=3D=3D=
>>> =3D=3D=3D=3D=3D=3D=3D=3D
>>>> #!!!! This avc is allowed in the current policy
>>>> =20
>>>> allow policykit_t hi_reserved_port_t:tcp_socket name_bind;
>>>> #!!!! This avc is allowed in the current policy
>>>> =20
>>>> allow policykit_t kerberos_port_t:tcp_socket name_bind;
>>>> #!!!! This avc is allowed in the current policy
>>>> =20
>>>> allow policykit_t kprop_port_t:tcp_socket name_bind;
>>>> #!!!! This avc is allowed in the current policy
>>>> =20
>>>> allow policykit_t portmap_port_t:tcp_socket name_connect;
>>>> #!!!! This avc is allowed in the current policy
>>>> =20
>>>> allow policykit_t var_yp_t:dir search;
>>>> =20
>>>> #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D sshd_t =3D=3D=3D=3D=3D=3D=3D=3D=
>>> =3D=3D=3D=3D=3D=3D
>>>> #!!!! This avc is allowed in the current policy
>>>> =20
>>>> allow sshd_t ftp_port_t:tcp_socket name_bind;
>>>> #!!!! This avc is allowed in the current policy
>>>> =20
>>>> allow sshd_t hi_reserved_port_t:tcp_socket name_bind;
>>>> #!!!! This avc is allowed in the current policy
>>>> =20
>>>> allow sshd_t hi_reserved_port_t:udp_socket name_bind;
>>>> #!!!! This avc is allowed in the current policy
>>>> =20
>>>> allow sshd_t spamd_port_t:tcp_socket name_bind;
>>>> #!!!! This avc is allowed in the current policy
>>>> =20
>>>> allow sshd_t var_yp_t:dir search;
>>>> =20
>>>> #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D system_dbusd_t =3D=3D=3D=3D=3D=
>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D
>>>> #!!!! This avc is allowed in the current policy
>>>> =20
>>>> allow system_dbusd_t hi_reserved_port_t:tcp_socket name_bind;
>>>> #!!!! This avc is allowed in the current policy
>>>> =20
>>>> allow system_dbusd_t portmap_port_t:tcp_socket name_connect;
>>>> #!!!! This avc is allowed in the current policy
>>>> =20
>>>> allow system_dbusd_t rndc_port_t:tcp_socket name_bind;
>>>> =20
>>>> #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D xdm_dbusd_t =3D=3D=3D=3D=3D=3D=
>>> =3D=3D=3D=3D=3D=3D=3D=3D
>>>> #!!!! This avc is allowed in the current policy
>>>> =20
>>>> allow xdm_dbusd_t hi_reserved_port_t:tcp_socket name_bind;
>>>> #!!!! This avc is allowed in the current policy
>>>> =20
>>>> allow xdm_dbusd_t portmap_port_t:tcp_socket name_connect;
>>>> --
>>>> selinux mailing list
>>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>> --=-W/U2hq2saAQVGsubU72y
>>> Content-Type: application/pgp-signature; name="signature.asc"
>>> Content-Description: This is a digitally signed message part
>>> Content-Transfer-Encoding: 7bit
>>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.11 (GNU/Linux)
>>>
>>> iQIcBAABCgAGBQJOfabTAAoJEBqhFeh0z2SRaEwQAIuB5ZFYNJqlBCsaE7HYaYuP
>>> pugsjSpzeQheJQC/i2Qa6BCLIKNiLmlkc3J5jBf4msvw3JTfLzgyWJCgo5gQBkLv
>>> y5JeRd81fgtEzhIIeS2Bg3J/HfXVcxmaAAvSXHvo4DQk7L+STT7ikCfsekPshOvP
>>> Y+8hOp/24IGm+wsteUMYGZy+JAHsDmSVGyGKMjo881cyCSclInwkoDTUDCv8vm+i
>>> 3qUs04ahfkfiBlpAH9a0SoVA9Tbnw5N1kbbvY3Up1qqvwtSXIMz2yfAB2uLQ9uBw
>>> NB0xzpYoBl6b3WLLBx/1DiZG0tmZbJ9q7bLGf22/5V1FArH2FpQ0MAPYxLtby/9x
>>> iOQiBdDKyAinz4EBMcGmB6B9M+YQROTtrMoTHm5J19J6e46vgt/vvfRcPJYna8DL
>>> gtHMQroB9Ky/yCHiG2nxsvoNDi7OUw5TX344px4hFDR2wESdrJ8wV9mIhjgwIsjB
>>> uQWJ4IIbYxJzJ578Le5dEWs9cfNqdEAPm24j9BPWo4VNyUL/ck3LRF/VdiW6rzF9
>>> fA66bPW2pqe15wpOtR831rO6PQN6Zdne6s+qRQYTu5IiRKINDi4HYe+dAzJzAuel
>>> avVkH84mznAy2wvoNYX5gvaeVBAE8ZqxMZOzF8cSnqCu+RZ+N/bj53XVN9Wsc9bU
>>> qFJjNtZOZfKswyZUYHSk
>>> =+k0S
>>> -----END PGP SIGNATURE-----
>>>
>>> --=-W/U2hq2saAQVGsubU72y--
>>>
>>>
>>> --===============4683794954818469668==
>>> Content-Type: text/plain; charset="us-ascii"
>>> MIME-Version: 1.0
>>> Content-Transfer-Encoding: 7bit
>>> Content-Disposition: inline
>>>
>>> --
>>> selinux mailing list
>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>> --===============4683794954818469668==--
>>>
>>
>
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
