On Sun, 2011-09-25 at 20:20 +0200, Miroslav Grepl wrote:
> On 09/25/2011 10:10 AM, Dominick Grift wrote:
> > On Sat, 2011-09-24 at 19:45 -0700, David Highley wrote:
> >> "Dominick Grift wrote:"
> >>>
> >>> --===============4683794954818469668==
> >>> Content-Type: multipart/signed; micalg="pgp-sha512";
> >>> protocol="application/pgp-signature"; boundary="=-W/U2hq2saAQVGsubU72y"
> >>>
> >>>
> >>> --=-W/U2hq2saAQVGsubU72y
> >>> Content-Type: text/plain; charset="UTF-8"
> >>> Content-Transfer-Encoding: quoted-printable
> >>>
> >>> On Fri, 2011-09-23 at 20:10 -0700, David Highley wrote:
> >>>> I checked bugzilla but did not see anything about this list of avc
> >>>> alerts for fedora 16. Should they be reported or is something miss
> >>>> configured?
> >>>> =20
> >>>> =20
> >>> sesebool-P allow_ypbind on
> >> The bool gets turned off in the reboot process.
> > Thats strange, is systemd turning it back off?
> >
> >> It solves almost all the
> >> avc issues but a few remained which were solved with this policy file:
> >> module mysystemd 1.0;
> >>
> >> require {
> >> type systemd_logind_t;
> >> type var_yp_t;
> >> type node_t;
> >> type hi_reserved_port_t;
> >> class udp_socket { name_bind bind create setopt node_bind };
> >> class file { read open };
> >> }
> >>
> >> #============= systemd_logind_t ==============
> >> allow systemd_logind_t hi_reserved_port_t:udp_socket name_bind;
> >> allow systemd_logind_t node_t:udp_socket node_bind;
> >> allow systemd_logind_t self:udp_socket { bind create setopt };
> >> allow systemd_logind_t var_yp_t:file { read open };
> > This is likely a bug, Could you file a bugzilla for the above?
> Yes, please, open a new bug. Thank you.
proposed fix:
diff --git policy/modules/system/systemd.te
policy/modules/system/systemd.te
index e50a989..d5e32c2 100644
--- policy/modules/system/systemd.te
+++ policy/modules/system/systemd.te
@@ -130,6 +130,10 @@
')
optional_policy(`
+ nis_use_ypbind(systemd_logind_t)
+')
+
+optional_policy(`
# It links /run/user/$USER/X11/display to /tmp/.X11-unix/X* sock_file
xserver_search_xdm_tmp_dirs(systemd_logind_t)
')
>
> Regards,
> Miroslav
> >
> >> We also need to do a systemctl restart autofs.service after boot up. We
> >> use NIS and auto mounted home directories.
> >>
> >>> should fix it. if it does than this should not be reported
> >>>
> >>> There is a way to check whether a specified AVC denial can be allowed,
> >>> for example your first avc denial:
> >>>
> >>>> #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D accountsd_t =3D=3D=3D=3D=3D=3D=
> >>> =3D=3D=3D=3D=3D=3D=3D=3D
> >>>> #!!!! This avc is allowed in the current policy
> >>>> =20
> >>>> allow accountsd_t hi_reserved_port_t:tcp_socket name_bind;
> >>>> #!!!! This avc is allowed in the current policy
> >>> # sesearch -SCT --allow -s accountsd_t -t hi_reserved_port_t -c
> >>> tcp_socket -p name_bind
> >>>
> >>> Found 1 semantic av rules:
> >>> DT allow nsswitch_domain rpc_port_type : tcp_socket name_bind ;
> >>> [ allow_ypbind ]
> >>>
> >>> This tells me that this access can be allowed by toggling the
> >>> allow_ypbind boolean to enabled. The DT tells me that this boolean is
> >>> currently disabled.
> >>>
> >>>> allow accountsd_t portmap_port_t:tcp_socket name_connect;
> >>>> #!!!! This avc is allowed in the current policy
> >>>> =20
> >>>> allow accountsd_t var_yp_t:dir search;
> >>>> =20
> >>>> #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D automount_t =3D=3D=3D=3D=3D=3D=
> >>> =3D=3D=3D=3D=3D=3D=3D=3D
> >>>> #!!!! This avc is allowed in the current policy
> >>>> =20
> >>>> allow automount_t var_yp_t:file read;
> >>>> =20
> >>>> #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D policykit_t =3D=3D=3D=3D=3D=3D=
> >>> =3D=3D=3D=3D=3D=3D=3D=3D
> >>>> #!!!! This avc is allowed in the current policy
> >>>> =20
> >>>> allow policykit_t hi_reserved_port_t:tcp_socket name_bind;
> >>>> #!!!! This avc is allowed in the current policy
> >>>> =20
> >>>> allow policykit_t kerberos_port_t:tcp_socket name_bind;
> >>>> #!!!! This avc is allowed in the current policy
> >>>> =20
> >>>> allow policykit_t kprop_port_t:tcp_socket name_bind;
> >>>> #!!!! This avc is allowed in the current policy
> >>>> =20
> >>>> allow policykit_t portmap_port_t:tcp_socket name_connect;
> >>>> #!!!! This avc is allowed in the current policy
> >>>> =20
> >>>> allow policykit_t var_yp_t:dir search;
> >>>> =20
> >>>> #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D sshd_t =3D=3D=3D=3D=3D=3D=3D=3D=
> >>> =3D=3D=3D=3D=3D=3D
> >>>> #!!!! This avc is allowed in the current policy
> >>>> =20
> >>>> allow sshd_t ftp_port_t:tcp_socket name_bind;
> >>>> #!!!! This avc is allowed in the current policy
> >>>> =20
> >>>> allow sshd_t hi_reserved_port_t:tcp_socket name_bind;
> >>>> #!!!! This avc is allowed in the current policy
> >>>> =20
> >>>> allow sshd_t hi_reserved_port_t:udp_socket name_bind;
> >>>> #!!!! This avc is allowed in the current policy
> >>>> =20
> >>>> allow sshd_t spamd_port_t:tcp_socket name_bind;
> >>>> #!!!! This avc is allowed in the current policy
> >>>> =20
> >>>> allow sshd_t var_yp_t:dir search;
> >>>> =20
> >>>> #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D system_dbusd_t =3D=3D=3D=3D=3D=
> >>> =3D=3D=3D=3D=3D=3D=3D=3D=3D
> >>>> #!!!! This avc is allowed in the current policy
> >>>> =20
> >>>> allow system_dbusd_t hi_reserved_port_t:tcp_socket name_bind;
> >>>> #!!!! This avc is allowed in the current policy
> >>>> =20
> >>>> allow system_dbusd_t portmap_port_t:tcp_socket name_connect;
> >>>> #!!!! This avc is allowed in the current policy
> >>>> =20
> >>>> allow system_dbusd_t rndc_port_t:tcp_socket name_bind;
> >>>> =20
> >>>> #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D xdm_dbusd_t =3D=3D=3D=3D=3D=3D=
> >>> =3D=3D=3D=3D=3D=3D=3D=3D
> >>>> #!!!! This avc is allowed in the current policy
> >>>> =20
> >>>> allow xdm_dbusd_t hi_reserved_port_t:tcp_socket name_bind;
> >>>> #!!!! This avc is allowed in the current policy
> >>>> =20
> >>>> allow xdm_dbusd_t portmap_port_t:tcp_socket name_connect;
> >>>> --
> >>>> selinux mailing list
> >>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>>
> >>> --=-W/U2hq2saAQVGsubU72y
> >>> Content-Type: application/pgp-signature; name="signature.asc"
> >>> Content-Description: This is a digitally signed message part
> >>> Content-Transfer-Encoding: 7bit
> >>>
> >>> -----BEGIN PGP SIGNATURE-----
> >>> Version: GnuPG v1.4.11 (GNU/Linux)
> >>>
> >>> iQIcBAABCgAGBQJOfabTAAoJEBqhFeh0z2SRaEwQAIuB5ZFYNJqlBCsaE7HYaYuP
> >>> pugsjSpzeQheJQC/i2Qa6BCLIKNiLmlkc3J5jBf4msvw3JTfLzgyWJCgo5gQBkLv
> >>> y5JeRd81fgtEzhIIeS2Bg3J/HfXVcxmaAAvSXHvo4DQk7L+STT7ikCfsekPshOvP
> >>> Y+8hOp/24IGm+wsteUMYGZy+JAHsDmSVGyGKMjo881cyCSclInwkoDTUDCv8vm+i
> >>> 3qUs04ahfkfiBlpAH9a0SoVA9Tbnw5N1kbbvY3Up1qqvwtSXIMz2yfAB2uLQ9uBw
> >>> NB0xzpYoBl6b3WLLBx/1DiZG0tmZbJ9q7bLGf22/5V1FArH2FpQ0MAPYxLtby/9x
> >>> iOQiBdDKyAinz4EBMcGmB6B9M+YQROTtrMoTHm5J19J6e46vgt/vvfRcPJYna8DL
> >>> gtHMQroB9Ky/yCHiG2nxsvoNDi7OUw5TX344px4hFDR2wESdrJ8wV9mIhjgwIsjB
> >>> uQWJ4IIbYxJzJ578Le5dEWs9cfNqdEAPm24j9BPWo4VNyUL/ck3LRF/VdiW6rzF9
> >>> fA66bPW2pqe15wpOtR831rO6PQN6Zdne6s+qRQYTu5IiRKINDi4HYe+dAzJzAuel
> >>> avVkH84mznAy2wvoNYX5gvaeVBAE8ZqxMZOzF8cSnqCu+RZ+N/bj53XVN9Wsc9bU
> >>> qFJjNtZOZfKswyZUYHSk
> >>> =+k0S
> >>> -----END PGP SIGNATURE-----
> >>>
> >>> --=-W/U2hq2saAQVGsubU72y--
> >>>
> >>>
> >>> --===============4683794954818469668==
> >>> Content-Type: text/plain; charset="us-ascii"
> >>> MIME-Version: 1.0
> >>> Content-Transfer-Encoding: 7bit
> >>> Content-Disposition: inline
> >>>
> >>> --
> >>> selinux mailing list
> >>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> >>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>> --===============4683794954818469668==--
> >>>
> >>
> >
> > --
> > selinux mailing list
> > selinux@xxxxxxxxxxxxxxxxxxxxxxx
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
Attachment:
signature.asc
Description: This is a digitally signed message part
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
