Bug 1460648
Summary: | the bind_ports plugin does not produce any report when matching AVC appears | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Milos Malik <mmalik> |
Component: | setroubleshoot-plugins | Assignee: | Vit Mojzis <vmojzis> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.4 | CC: | lvrabec, mgrepl, mmalik, plautrba |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-10-30 09:47:43 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Milos Malik
2017-06-12 10:35:29 UTC
The AVC in bug description should not trigger the connect_ports plugin since there needs to be at least one "allowed target type" for the source domain (type to which the domain has access to). Otherwise the suggestion is not valid. #sesearch -A -p name_bind -s auditctl_t -C None The plugin works properly with the following AVC: type=AVC msg=audit(1533554112.594:1026): avc: denied { name_bind } for pid=8115 comm="nc" dest=789 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket Current "correct" behaviour is actually caused by an exception in "allowed_target_types" (triggered when search() returns None) line: wtypes = [x[TARGET] for x in [y for y in search([ALLOW], {SOURCE: self.scontext.type, CLASS: self.tclass, PERMS: self.access}) if y["enabled"]]] which should be handled properly. The following patch should fix the issue: https://github.com/fedora-selinux/setroubleshoot/pull/73 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3101 |