fedora-selinux August 2010 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: F12/3: SELinux is preventing /usr/bin/perl f

Re: F12/3: SELinux is preventing /usr/bin/perl from binding to port XXXXX

From: Dominick Grift <domg472_at_nospam>
Date: Wed Aug 18 2010 - 08:43:52 GMT
To: selinux@lists.fedoraproject.org

On 08/18/2010 01:30 AM, Daniel B. Thurman wrote:
>
> So how do I resolve this?
>
>
> node=(removed) type=AVC msg=audit(1282086325.907:81309): avc: denied {
> name_bind } for pid=23536 comm="spamassassin" src=32726
> scontext=system_u:system_r:spamc_t:s0
> tcontext=system_u:object_r:port_t:s0 tclass=udp_socket

It kind of depends in my view. Here the spamassassin client app tries to
bind udp socket to port 32726.

Port udp:32726 is currently "unlabeled".

The question we have to ask first is: is this a random port that
spamassassin is binding udp sockets to? Or is it always the same port?

If it is a random port, then i think we probably need to give the
spamassassin client access to bind udp sockets to generic ports.

Looking in the policy source, i see similar allowed for spamassassin_t:

<snip>
> corenet_udp_bind_generic_node(spamassassin_t)
> corenet_udp_bind_generic_port(spamassassin_t)
> corenet_sendrecv_generic_server_packets(spamassassin_t)
> corenet_dontaudit_udp_bind_all_ports(spamassassin_t)

So you could implement an identical solution for spamc_t like so:

mkdir ~/myspamc; cd ~/myspamc;

echo "policy_module(myspamc, 1.0.0)" > myspamc.te;
echo "gen_require(\`" >> myspamc.te;
echo "type spamc_t;" >> myspamc.te;
echo "')" >> myspamc.te;
echo "corenet_udp_bind_generic_node(spamc_t)" >> myspamc.te;
echo "corenet_udp_bind_generic_port(spamc_t)" >> myspamc.te;
echo "corenet_sendrecv_generic_server_packets(spamc_t)" >> myspamc.te;
echo "corenet_dontaudit_udp_bind_all_ports(spamc_t)" >> myspamc.te;

make -f /usr/share/selinux/devel/Makefile myspamc.pp
sudo semodule -i myspamc.pp

This will allow spamc_t (/usr/bin/spamassassin) to bind udp sockets to
ports with the generic port_t type.

It will silently deny spamc_t trying to bind udp sockets to all other
port types.

> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux