Bug 196719
Summary: | selinux blocks NFS, ntp and probably others | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Doug Chapman <dchapman> |
Component: | kernel | Assignee: | James Morris <jmorris> |
Status: | CLOSED RAWHIDE | QA Contact: | Brian Brock <bbrock> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | rawhide | CC: | dwalsh, orion, wtogami |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-09-18 19:42:12 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Doug Chapman
2006-06-26 17:52:37 UTC
Me too. I see it on an i386. It also prevents outbound smtp traffic. Jun 25 04:26:44 gadwall kernel: audit(1151227604.199:29): avc: denied { send } for \ pid=28419 comm="smtp" saddr=192.168.1.8 src=54461 daddr=192.168.1.3 dest=25 \ netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 \ tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 04:26:47 gadwall kernel: audit(1151227607.199:30): avc: denied { send } for \ pid=28697 comm="makewhatis" saddr=192.168.1.8 src=54461 daddr=192.168.1.3 dest=25 \ netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 \ tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 04:26:53 gadwall kernel: audit(1151227613.199:31): avc: denied { send } for \ pid=29189 comm="gawk" saddr=192.168.1.8 src=54461 daddr=192.168.1.3 dest=25 \ netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 \ tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Jun 25 04:27:05 gadwall kernel: audit(1151227625.200:32): avc: denied { send } for \ pid=30221 comm="gawk" saddr=192.168.1.8 src=54461 daddr=192.168.1.3 dest=25 \ netif=eth0 scontext=system_u:system_r:postfix_smtp_t:s0 \ tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Still seeing with 2.6.17-1.2336.fc6 on i386. Affects NIS and cups as well. Things seem somewhat better with 2.6.17-1.2356.fc6. At least ypbind can start and NFS mounts stuff. Still see lots of avc messages though: audit(1152202124.462:9): avc: denied { send } for pid=2153 comm="syslogd" saddr=192.168.0.91 src=32768 daddr=192.168.0.8 dest=53 netif=eth0 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202124.466:10): avc: denied { recv } for saddr=192.168.0.8 src=53 daddr=192.168.0.91 dest=32768 netif=eth0 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202125.566:11): avc: denied { send } for pid=2197 comm="rpc.statd" saddr=127.0.0.1 src=678 daddr=127.0.0.1 dest=111 netif=lo scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202125.566:12): avc: denied { recv } for pid=2197 comm="rpc.statd" saddr=127.0.0.1 src=678 daddr=127.0.0.1 dest=111 netif=lo scontext=system_u:system_r:portmap_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202125.566:13): avc: denied { send } for pid=2178 comm="portmap" saddr=127.0.0.1 src=111 daddr=127.0.0.1 dest=678 netif=lo scontext=system_u:system_r:portmap_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202125.566:14): avc: denied { recv } for pid=2178 comm="portmap" saddr=127.0.0.1 src=111 daddr=127.0.0.1 dest=678 netif=lo scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202127.171:15): avc: denied { send } for pid=2330 comm="ypbind" saddr=127.0.0.1 src=810 daddr=127.0.0.1 dest=111 netif=lo scontext=system_u:system_r:ypbind_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202127.171:16): avc: denied { recv } for pid=2178 comm="portmap" saddr=127.0.0.1 src=111 daddr=127.0.0.1 dest=810 netif=lo scontext=system_u:system_r:ypbind_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202127.467:17): avc: denied { send } for pid=2352 comm="automount" saddr=192.168.0.91 src=832 daddr=192.168.0.8 dest=696 netif=eth0 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202127.475:18): avc: denied { recv } for saddr=192.168.0.8 src=696 daddr=192.168.0.91 dest=832 netif=eth0 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202129.867:19): avc: denied { send } for pid=2410 comm="cupsd" saddr=192.168.0.91 src=890 daddr=192.168.0.8 dest=696 netif=eth0 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202129.867:20): avc: denied { recv } for saddr=192.168.0.8 src=696 daddr=192.168.0.91 dest=890 netif=eth0 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202130.207:21): avc: denied { send } for pid=2153 comm="syslogd" saddr=192.168.0.91 src=514 daddr=192.168.0.8 dest=514 netif=eth0 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202130.327:22): avc: denied { send } for pid=2430 comm="ntpd" saddr=192.168.0.91 src=910 daddr=192.168.0.8 dest=696 netif=eth0 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202130.343:23): avc: denied { recv } for saddr=192.168.0.8 src=696 daddr=192.168.0.91 dest=910 netif=eth0 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202131.535:24): avc: denied { send } for pid=2513 comm="xfs" saddr=192.168.0.91 src=58537 daddr=192.168.0.8 dest=111 netif=eth0 scontext=system_u:system_r:xfs_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202131.535:25): avc: denied { recv } for saddr=192.168.0.8 src=111 daddr=192.168.0.91 dest=58537 netif=eth0 scontext=system_u:system_r:xfs_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202132.267:26): avc: denied { send } for pid=2605 comm="avahi-daemon" saddr=192.168.0.91 src=46111 daddr=192.168.0.8 dest=111 netif=eth0 scontext=system_u:system_r:avahi_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202132.267:27): avc: denied { recv } for saddr=192.168.0.8 src=111 daddr=192.168.0.91 dest=46111 netif=eth0 scontext=system_u:system_r:avahi_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202132.535:28): avc: denied { send } for pid=2249 comm="dbus-daemon" saddr=192.168.0.91 src=51225 daddr=192.168.0.8 dest=111 netif=eth0 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202132.539:29): avc: denied { recv } for pid=15 comm="kblockd/0" saddr=192.168.0.8 src=111 daddr=192.168.0.91 dest=51225 netif=eth0 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202132.667:30): avc: denied { recv } for pid=2610 comm="S98haldaemon" saddr=192.168.0.8 src=53 daddr=192.168.0.91 dest=32768 netif=eth0 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202132.667:31): avc: denied { send } for pid=2430 comm="ntpd" saddr=192.168.0.91 src=32772 daddr=192.168.0.8 dest=53 netif=eth0 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202132.759:32): avc: denied { send } for pid=2605 comm="avahi-daemon" saddr=192.168.0.91 src=5353 daddr=224.0.0.251 dest=5353 netif=eth0 scontext=system_u:system_r:avahi_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202132.759:33): avc: denied { recv } for pid=2605 comm="avahi-daemon" saddr=192.168.0.91 src=5353 daddr=224.0.0.251 dest=5353 netif=eth0 scontext=system_u:system_r:avahi_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202138.119:34): avc: denied { recv } for pid=2651 comm="xkbcomp" saddr=192.168.0.9 src=631 daddr=192.168.0.255 dest=631 netif=eth0 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202145.472:35): avc: denied { send } for pid=2249 comm="dbus-daemon" saddr=192.168.0.91 src=46610 daddr=192.168.0.8 dest=111 netif=eth0 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202145.472:36): avc: denied { recv } for saddr=192.168.0.8 src=111 daddr=192.168.0.91 dest=46610 netif=eth0 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202147.208:39): avc: denied { send } for pid=2334 comm="ypbind" saddr=192.168.0.91 src=818 daddr=192.168.0.8 dest=696 netif=eth0 scontext=system_u:system_r:ypbind_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202147.208:40): avc: denied { recv } for pid=2756 comm="X" saddr=192.168.0.8 src=696 daddr=192.168.0.91 dest=818 netif=eth0 scontext=system_u:system_r:ypbind_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202152.576:41): avc: denied { recv } for pid=2788 comm="kdm_greet" saddr=192.168.0.249 src=5353 daddr=224.0.0.251 dest=5353 netif=eth0 scontext=system_u:system_r:avahi_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202153.132:42): avc: denied { recv } for saddr=192.168.0.76 src=33384 daddr=192.168.0.255 dest=111 netif=eth0 scontext=system_u:system_r:portmap_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202154.124:43): avc: denied { recv } for saddr=192.168.0.9 src=631 daddr=192.168.0.255 dest=631 netif=eth0 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202156.592:44): avc: denied { recv } for saddr=192.168.0.9 src=123 daddr=192.168.0.255 dest=123 netif=eth0 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202177.153:45): avc: denied { send } for pid=2153 comm="syslogd" saddr=192.168.0.91 src=514 daddr=192.168.0.8 dest=514 netif=eth0 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202187.214:46): avc: denied { send } for pid=2334 comm="ypbind" saddr=192.168.0.91 src=818 daddr=192.168.0.8 dest=696 netif=eth0 scontext=system_u:system_r:ypbind_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202187.214:47): avc: denied { recv } for saddr=192.168.0.8 src=696 daddr=192.168.0.91 dest=818 netif=eth0 scontext=system_u:system_r:ypbind_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202195.738:48): avc: denied { recv } for saddr=192.168.0.85 src=34325 daddr=192.168.0.255 dest=111 netif=eth0 scontext=system_u:system_r:portmap_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202199.326:49): avc: denied { send } for pid=2430 comm="ntpd" saddr=192.168.0.91 src=123 daddr=202.124.17.10 dest=123 netif=eth0 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202246.457:50): avc: denied { send } for pid=2847 comm="automount" saddr=192.168.0.91 src=840 daddr=192.168.0.8 dest=696 netif=eth0 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202246.457:51): avc: denied { recv } for saddr=192.168.0.8 src=696 daddr=192.168.0.91 dest=840 netif=eth0 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202246.489:52): avc: denied { send } for pid=2848 comm="mount" saddr=192.168.0.91 src=904 daddr=192.168.0.8 dest=696 netif=eth0 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202246.489:53): avc: denied { recv } for saddr=192.168.0.8 src=696 daddr=192.168.0.91 dest=904 netif=eth0 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet audit(1152202246.673:54): avc: denied { send } for pid=2178 comm="portmap" saddr=127.0.0.1 src=111 daddr=127.0.0.1 dest=785 netif=lo scontext=system_u:system_r:portmap_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=packet Fixed in selinux-policy-2.3.14-3 |