Re: ejabberd and name_bind

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Randy Barlow a écrit :
> Greetings!
> 
> The ejabberd Fedora package has its own SELinux policy module that it
> ships[0]. A user has reported an issue with an SELinux denial with the
> default ejabberd config[1].
> 
> I spent some time trying to modify the policy to allow the name_bind on
> the port, but it seems that my attempts result in it still being
> denied:
> 
> allow ejabberd_t unreserved_port_t:udp_socket name_bind;
> 
Hi Randy,

Thank you so much for your work! I'm spending time every year to fix
AVCs for ejabberd (on my systems) without going deep in this
issue. But I stored all .te files, so I'm happy to be able to compare
with your .te file :)



File: ejabberd-udp-unreserved_port-fedora-33.te

"""
module ejabberd-udp-unreserved_port-fedora-33 1.0;

require {
	type unreserved_port_t;
	type ejabberd_t;
	class udp_socket name_bind;
}

#============= ejabberd_t ==============

#!!!! This avc can be allowed using the boolean 'nis_enabled'
allow ejabberd_t unreserved_port_t:udp_socket name_bind;
"""

> As I commented on the ticket, I also found that setting the nis_enabled
> bool on my system to true would solve the problem.
> 
How did you do that... I mean, you have found the Graal...

> However, I think it would be ideal if I could adjust the ejabberd
> module to do this on the users' behalf, as it is not obvious to the
> average user (or even to me) that this boolean could be the solution to
> the problem.
> 
The Graal, I said :)

> Is there something I could adjust in the ejabberd policy that would
> resolve this issue? Thanks.
> 
On my side, I will make a fresh install on fresh box to see what is
exactly required or not, then compare, then send you PR :)

I also want to see what is required with the default ejabberd config
and with my "advanced" config file.


Best regards,
Casper
-- 
GnuPG: AE157E0B29F0BEF2 at keys.openpgp.org
CA Cert: https://dl.casperlefantom.net/pub/ssl/root.der
Jabber/XMPP Messaging: casper@xxxxxxxxxxxxxxxxxx

Attachment: signature.asc
Description: PGP signature

_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux