Bug 137689

Summary: portmap policy not accounting for netlink socket
Product: [Fedora] Fedora Reporter: Ulrich Drepper <drepper>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideKeywords: SELinux
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 1.17.30-2.14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-11-01 18:56:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 130887    
Attachments:
Description Flags
add required permissions none

Description Ulrich Drepper 2004-10-30 18:38:54 UTC 
Description of problem:
The portmap daemon does not start up with the current targeted policy since it
is not allowed to use the route netlink socket.  This is used through the glibc
functions related to RPC.  It's only read access which is needed, similar to
what has been done for nscd.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.11

How reproducible:
always

Steps to Reproduce:
1.start portmap
2.
3.
  
Actual results:
Oct 30 11:24:05 fw kernel: audit(1099160645.162:0): avc:  denied  { create } for
 pid=2209 exe=/sbin/portmap scontext=user_u:system_r:portmap_t
tcontext=user_u:system_r:portmap_t tclass=netlink_route_socket


Expected results:
No such message

Additional info:
The attached patch fixes the problem for me.
Comment 1 Ulrich Drepper 2004-10-30 18:38:55 UTC 
Created attachment 105980 [details]
add required permissions
Comment 2 Daniel Walsh 2004-11-01 18:45:15 UTC 
Fixed in selinux-policy-targeted-1.17.30-2.14
Comment 3 Ulrich Drepper 2004-11-01 18:56:21 UTC 
Confirmed fixed.