use can_network_XXX() in inetd.te, ssh.te, rhgb.te, rpcd.te...?

[Daniel J Walsh]

Tom London wrote:

>Running strict/enforcing off of latest Rawhide
>
>Several problems after latest update,
>mostly like:
>
>Nov 30 20:14:43 fedora kernel: audit(1101874483.584:0): avc:  denied 
>{ accept } for  pid=3656 exe=/usr/sbin/sshd lport=22
>scontext=root:system_r:sshd_t tcontext=root:system_r:sshd_t
>tclass=tcp_socket
>
>or
>
>Nov 30 19:17:04 fedora kernel: audit(1101871024.847:0): avc:  denied 
>{ listen } for  pid=2251 exe=/usr/sbin/xinetd lport=113
>scontext=system_u:system_r:inetd_t tcontext=system_u:system_r:inetd_t
>tclass=tcp_socket
>Nov 30 19:17:04 fedora xinetd[2251]: service auth, accept: Permission
>denied (errno = 13)
>
>or
>
>Nov 30 19:16:51 fedora kernel: audit(1101871006.547:0): avc:  denied 
>{ listen } for  pid=1959 exe=/sbin/rpc.statd lport=32768
>scontext=system_u:system_r:rpcd_t tcontext=system_u:system_r:rpcd_t
>tclass=tcp_socket
> 
>or
>
>Nov 30 19:42:36 fedora kernel: audit(1101843722.414:0): avc:  denied 
>{ connect } for  pid=1198 exe=/usr/bin/rhgb
>scontext=system_u:system_r:rhgb_t tcontext=system_u:system_r:rhgb_t
>tclass=tcp_socket
>Nov 30 19:42:36 fedora kernel: audit(1101843722.421:0): avc:  denied 
>{ connect } for  pid=1198 exe=/usr/bin/rhgb
>scontext=system_u:system_r:rhgb_t tcontext=system_u:system_r:rhgb_t
>tclass=tcp_socket
>
>etc.
>
>I added something like 'allow XXX self:tcp_socket {listen accept}'
>or 'allow XXX self:tcp_socket {connect}'
>to get the daemons up and running, but shouldn't
>these guys use the can_network_tcp(), can_network_client(),
>or can_network_server()?
>
>Are patches needed, or is this in the works?
>
>   tom
>  
>
Yes patches are in the work.  You can drop them to can_network() to get 
the full functionality.
I will put up a fixed policy on 
ftp://people.redhat.com/dwalsh/SELinux/Fedora
Dan