Randy Barlow a écrit : > Greetings! > > The ejabberd Fedora package has its own SELinux policy module that it > ships[0]. A user has reported an issue with an SELinux denial with the > default ejabberd config[1]. > > I spent some time trying to modify the policy to allow the name_bind on > the port, but it seems that my attempts result in it still being > denied: > > allow ejabberd_t unreserved_port_t:udp_socket name_bind; > Hi Randy, Thank you so much for your work! I'm spending time every year to fix AVCs for ejabberd (on my systems) without going deep in this issue. But I stored all .te files, so I'm happy to be able to compare with your .te file :) File: ejabberd-udp-unreserved_port-fedora-33.te """ module ejabberd-udp-unreserved_port-fedora-33 1.0; require { type unreserved_port_t; type ejabberd_t; class udp_socket name_bind; } #============= ejabberd_t ============== #!!!! This avc can be allowed using the boolean 'nis_enabled' allow ejabberd_t unreserved_port_t:udp_socket name_bind; """ > As I commented on the ticket, I also found that setting the nis_enabled > bool on my system to true would solve the problem. > How did you do that... I mean, you have found the Graal... > However, I think it would be ideal if I could adjust the ejabberd > module to do this on the users' behalf, as it is not obvious to the > average user (or even to me) that this boolean could be the solution to > the problem. > The Graal, I said :) > Is there something I could adjust in the ejabberd policy that would > resolve this issue? Thanks. > On my side, I will make a fresh install on fresh box to see what is exactly required or not, then compare, then send you PR :) I also want to see what is required with the default ejabberd config and with my "advanced" config file. Best regards, Casper -- GnuPG: AE157E0B29F0BEF2 at keys.openpgp.org CA Cert: https://dl.casperlefantom.net/pub/ssl/root.der Jabber/XMPP Messaging: casper@xxxxxxxxxxxxxxxxxx
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure