On Fri, Aug 14, 2020 at 9:40 AM <info@xxxxxxxxxxxx> wrote:
On CentOS 8 I have some weird permission denying on samba:
------------------------------------------------------------------------------------
# audit(1597366122.204:23992513):
# scontext="system_u:system_r:smbd_t:s0" tcontext="system_u:object_r:hi_reserved_port_t:s0"
# class="udp_socket" perms="name_bind"
# comm="smbd" exe="" path=""
# message="type=AVC msg=audit(1597366122.204:23992513): avc: denied {
# name_bind } for pid=2210721 comm="smbd" src=""> # scontext=system_u:system_r:smbd_t:s0
# tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket
# permissive=1"
------------------------------------------------------------------------------------
Do I something wrong?
Hi Filip,
smbd is not allowed to bind to arbitrary udp ports, see:
# sesearch -A -s smbd_t -c udp_socket -p name_bind
allow nsswitch_domain ephemeral_port_t:udp_socket name_bind; [ nis_enabled ]:True
allow nsswitch_domain port_t:udp_socket name_bind; [ nis_enabled ]:True
allow nsswitch_domain unreserved_port_t:udp_socket name_bind; [ nis_enabled ]:True
allow nsswitch_domain ephemeral_port_t:udp_socket name_bind; [ nis_enabled ]:True
allow nsswitch_domain port_t:udp_socket name_bind; [ nis_enabled ]:True
allow nsswitch_domain unreserved_port_t:udp_socket name_bind; [ nis_enabled ]:True
So the question is: why smbd wants to bind to udp port 1009?
Thanks,
Filip Bartmann
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
--
Zdenek Pytela
Security controls team, sst_platform_security
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
