Randy Barlow a écrit :
> Greetings!
>
> The ejabberd Fedora package has its own SELinux policy module that it
> ships[0]. A user has reported an issue with an SELinux denial with the
> default ejabberd config[1].
>
> I spent some time trying to modify the policy to allow the name_bind on
> the port, but it seems that my attempts result in it still being
> denied:
>
> allow ejabberd_t unreserved_port_t:udp_socket name_bind;
>
Hi Randy,
Thank you so much for your work! I'm spending time every year to fix
AVCs for ejabberd (on my systems) without going deep in this
issue. But I stored all .te files, so I'm happy to be able to compare
with your .te file :)
File: ejabberd-udp-unreserved_port-fedora-33.te
"""
module ejabberd-udp-unreserved_port-fedora-33 1.0;
require {
type unreserved_port_t;
type ejabberd_t;
class udp_socket name_bind;
}
#============= ejabberd_t ==============
#!!!! This avc can be allowed using the boolean 'nis_enabled'
allow ejabberd_t unreserved_port_t:udp_socket name_bind;
"""
> As I commented on the ticket, I also found that setting the nis_enabled
> bool on my system to true would solve the problem.
>
How did you do that... I mean, you have found the Graal...
> However, I think it would be ideal if I could adjust the ejabberd
> module to do this on the users' behalf, as it is not obvious to the
> average user (or even to me) that this boolean could be the solution to
> the problem.
>
The Graal, I said :)
> Is there something I could adjust in the ejabberd policy that would
> resolve this issue? Thanks.
>
On my side, I will make a fresh install on fresh box to see what is
exactly required or not, then compare, then send you PR :)
I also want to see what is required with the default ejabberd config
and with my "advanced" config file.
Best regards,
Casper
--
GnuPG: AE157E0B29F0BEF2 at keys.openpgp.org
CA Cert: https://dl.casperlefantom.net/pub/ssl/root.der
Jabber/XMPP Messaging: casper@xxxxxxxxxxxxxxxxxx
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
