fedora-selinux August 2010 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: F12/3: SELinux is preventing /usr/bin/perl f

Re: F12/3: SELinux is preventing /usr/bin/perl from binding to port XXXXX

From: Daniel B. Thurman <dant_at_nospam>
Date: Wed Aug 18 2010 - 15:01:07 GMT
To: Fedora SELinux Users <selinux@lists.fedoraproject.org>

 On 08/18/2010 01:43 AM, Dominick Grift wrote:
> On 08/18/2010 01:30 AM, Daniel B. Thurman wrote:
>> So how do I resolve this?
>> node=(removed) type=AVC msg=audit(1282086325.907:81309): avc: denied {
>> name_bind } for pid=23536 comm="spamassassin" src=32726
>> scontext=system_u:system_r:spamc_t:s0
>> tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
> It kind of depends in my view. Here the spamassassin client app tries to
> bind udp socket to port 32726.
> Port udp:32726 is currently "unlabeled".
> The question we have to ask first is: is this a random port that
> spamassassin is binding udp sockets to? Or is it always the same port?
The report provided here is one of hundreds or thousands of port
failures but the errors are exactly the same except for the port numbers.

On (re)boot, SpamAssassin is bound to a random port in the low
1000 range and stays on this port for a time. For some reason,
SA breaks from this port, then searches for an available port,
in hundreds to thousands of failed ports with each failure reported
by SeLinux and the CPUs are hit very hard. Somehow and eventually
after several minutes (15-30 minutes), the search stops. I assume
that the search ran through the entire port searches until none was left?

What I would like to know is what is the underlying cause of this
problem - is it a broken spamassassin or is it really SeLinux?

> If it is a random port, then i think we probably need to give the
> spamassassin client access to bind udp sockets to generic ports.
> Looking in the policy source, i see similar allowed for spamassassin_t:
> <snip>
>> corenet_udp_bind_generic_node(spamassassin_t)
>> corenet_udp_bind_generic_port(spamassassin_t)
>> corenet_sendrecv_generic_server_packets(spamassassin_t)
>> corenet_dontaudit_udp_bind_all_ports(spamassassin_t)
> So you could implement an identical solution for spamc_t like so:
> mkdir ~/myspamc; cd ~/myspamc;
> echo "policy_module(myspamc, 1.0.0)" > myspamc.te;
> echo "gen_require(\`" >> myspamc.te;
> echo "type spamc_t;" >> myspamc.te;
> echo "')" >> myspamc.te;
> echo "corenet_udp_bind_generic_node(spamc_t)" >> myspamc.te;
> echo "corenet_udp_bind_generic_port(spamc_t)" >> myspamc.te;
> echo "corenet_sendrecv_generic_server_packets(spamc_t)" >> myspamc.te;
> echo "corenet_dontaudit_udp_bind_all_ports(spamc_t)" >> myspamc.te;
> make -f /usr/share/selinux/devel/Makefile myspamc.pp
> sudo semodule -i myspamc.pp
> This will allow spamc_t (/usr/bin/spamassassin) to bind udp sockets to
> ports with the generic port_t type.
> It will silently deny spamc_t trying to bind udp sockets to all other
> port types.

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux