use can_network_XXX() in inetd.te, ssh.te, rhgb.te, rpcd.te...?
Tom London
selinux at gmail.com
Wed Dec 1 15:00:45 UTC 2004
Running strict/enforcing off of latest Rawhide
Several problems after latest update,
mostly like:
Nov 30 20:14:43 fedora kernel: audit(1101874483.584:0): avc: denied
{ accept } for pid=3656 exe=/usr/sbin/sshd lport=22
scontext=root:system_r:sshd_t tcontext=root:system_r:sshd_t
tclass=tcp_socket
or
Nov 30 19:17:04 fedora kernel: audit(1101871024.847:0): avc: denied
{ listen } for pid=2251 exe=/usr/sbin/xinetd lport=113
scontext=system_u:system_r:inetd_t tcontext=system_u:system_r:inetd_t
tclass=tcp_socket
Nov 30 19:17:04 fedora xinetd[2251]: service auth, accept: Permission
denied (errno = 13)
or
Nov 30 19:16:51 fedora kernel: audit(1101871006.547:0): avc: denied
{ listen } for pid=1959 exe=/sbin/rpc.statd lport=32768
scontext=system_u:system_r:rpcd_t tcontext=system_u:system_r:rpcd_t
tclass=tcp_socket
or
Nov 30 19:42:36 fedora kernel: audit(1101843722.414:0): avc: denied
{ connect } for pid=1198 exe=/usr/bin/rhgb
scontext=system_u:system_r:rhgb_t tcontext=system_u:system_r:rhgb_t
tclass=tcp_socket
Nov 30 19:42:36 fedora kernel: audit(1101843722.421:0): avc: denied
{ connect } for pid=1198 exe=/usr/bin/rhgb
scontext=system_u:system_r:rhgb_t tcontext=system_u:system_r:rhgb_t
tclass=tcp_socket
etc.
I added something like 'allow XXX self:tcp_socket {listen accept}'
or 'allow XXX self:tcp_socket {connect}'
to get the daemons up and running, but shouldn't
these guys use the can_network_tcp(), can_network_client(),
or can_network_server()?
Are patches needed, or is this in the works?
tom
--
Tom London
More information about the fedora-selinux-list
mailing list