Re: Samba hi_reserved_port_t denial

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On Fri, Aug 14, 2020 at 9:40 AM <info@xxxxxxxxxxxx> wrote:
On CentOS 8 I have some weird permission denying on samba:
------------------------------------------------------------------------------------
# audit(1597366122.204:23992513):
#  scontext="system_u:system_r:smbd_t:s0" tcontext="system_u:object_r:hi_reserved_port_t:s0"
#  class="udp_socket" perms="name_bind"
#  comm="smbd" exe="" path=""
#  message="type=AVC msg=audit(1597366122.204:23992513): avc:  denied  {
#   name_bind } for  pid=2210721 comm="smbd" src=""> #   scontext=system_u:system_r:smbd_t:s0
#   tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket
#   permissive=1"
------------------------------------------------------------------------------------
Do I something wrong?
Hi Filip,

smbd is not allowed to bind to arbitrary udp ports, see:

# sesearch -A -s smbd_t -c udp_socket -p name_bind
allow nsswitch_domain ephemeral_port_t:udp_socket name_bind; [ nis_enabled ]:True
allow nsswitch_domain port_t:udp_socket name_bind; [ nis_enabled ]:True
allow nsswitch_domain unreserved_port_t:udp_socket name_bind; [ nis_enabled ]:True

So the question is: why smbd wants to bind to udp port 1009?


Thanks,
Filip Bartmann
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx


--

Zdenek Pytela
Security controls team, sst_platform_security
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux