Bug 2176070
| Summary: | SELinux is preventing prosody from name_bind access on the udp_socket port | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Nicolas Berrehouc <nberrehouc> |
| Component: | selinux-policy | Assignee: | Robert Scheck <redhat-bugzilla> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | medium | ||
| Version: | 38 | CC: | dwalsh, jkaluza, lvrabec, mmalik, nberrehouc, nknazeko, omosnacek, pkoncity, redhat-bugzilla, vmojzis, zpytela |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-38.29-1.fc38 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-10-03 16:39:42 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Still present in F38.
```
SELinux is preventing prosody from name_bind access on the udp_socket port 17166.
***** Plugin catchall_boolean (89.3 confidence) suggests ******************
If you want to allow nis to enabled
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.
Do
setsebool -P nis_enabled 1
***** Plugin catchall (11.6 confidence) suggests **************************
If you believe that prosody should be allowed name_bind access on the port 17166 udp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'prosody' --raw | audit2allow -M my-prosody
# semodule -X 300 -i my-prosody.pp
Additional Information:
Source Context system_u:system_r:prosody_t:s0
Target Context system_u:object_r:unreserved_port_t:s0
Target Objects port 17166 [ udp_socket ]
Source prosody
Source Path prosody
Port 17166
Host <REMOVED>
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-38.24-1.fc38.noarch
Local Policy RPM selinux-policy-targeted-38.24-1.fc38.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name <REMOVED>
Platform Linux <REMOVED> 6.4.11-200.fc38.x86_64 #1 SMP
PREEMPT_DYNAMIC Wed Aug 16 17:42:12 UTC 2023
x86_64
Alert Count 10561
First Seen 2022-12-20 05:52:24 CET
Last Seen 2023-08-20 17:52:04 CEST
Local ID 17dee8f0-8676-4293-a36c-50e5faa4cb55
Raw Audit Messages
type=AVC msg=audit(1692546724.136:2151): avc: denied { name_bind } for pid=341290 comm="prosody" src=17166 scontext=system_u:system_r:prosody_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0
Hash: prosody,prosody_t,unreserved_port_t,udp_socket,name_bind
```
Additional info:
```
SELinux is preventing prosody from search access on the directory net.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that prosody should be allowed search access on the net directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'prosody' --raw | audit2allow -M my-prosody
# semodule -X 300 -i my-prosody.pp
Additional Information:
Source Context system_u:system_r:prosody_t:s0
Target Context system_u:object_r:sysctl_net_t:s0
Target Objects net [ dir ]
Source prosody
Source Path prosody
Port <Unknown>
Host Icaricio
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-38.24-1.fc38.noarch
Local Policy RPM selinux-policy-targeted-38.24-1.fc38.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name Icaricio
Platform Linux Icaricio 6.4.11-200.fc38.x86_64 #1 SMP
PREEMPT_DYNAMIC Wed Aug 16 17:42:12 UTC 2023
x86_64
Alert Count 66
First Seen 2022-12-20 05:52:24 CET
Last Seen 2023-08-20 17:13:20 CEST
Local ID 4ed872c5-bc2a-4ba0-9475-ebd8ce2d8b0b
Raw Audit Messages
type=AVC msg=audit(1692544400.418:2108): avc: denied { search } for pid=341290 comm="prosody" name="net" dev="proc" ino=187 scontext=system_u:system_r:prosody_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0
Hash: prosody,prosody_t,sysctl_net_t,dir,search
```
From journald log:
août 20 17:13:20 <REMOVED> prosody[341290]: [1692544400] libunbound[341290:0] error: failed to read from file: /proc/sys/net/ipv4/ip_local_port_range (Permission denied)
Thank you, it looks prosody was updated to use ports from /proc/sys/net/ipv4/ip_local_port_range, therefore policy needs to be adjusted, too. FEDORA-2023-b001a7edcc has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-b001a7edcc FEDORA-2023-b001a7edcc has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-b001a7edcc` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-b001a7edcc See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. Thank you for the update. Works fine! Karma +1 FEDORA-2023-b001a7edcc has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report. |
Description of problem: SEAlert in system logs. SELinux is preventing prosody from name_bind access on the udp_socket port 32165. Version-Release number of selected component (if applicable): prosody-0.12.2-1.fc37.x86_64 selinux-policy-37.19-1.fc37.noarch selinux-policy-minimum-37.19-1.fc37.noarch selinux-policy-targeted-37.19-1.fc37.noarch How reproducible: Install and start Prosody service. Steps to Reproduce: 1.Install Prosody 2.Start Prosody 3.Check system logs Actual results: SELinux is preventing prosody from name_bind access on the udp_socket port 32165. ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow nis to enabled Then you must tell SELinux about this by enabling the 'nis_enabled' boolean. Do setsebool -P nis_enabled 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that prosody should be allowed name_bind access on the port 32165 udp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'prosody' --raw | audit2allow -M my-prosody # semodule -X 300 -i my-prosody.pp Additional Information: Source Context system_u:system_r:prosody_t:s0 Target Context system_u:object_r:unreserved_port_t:s0 Target Objects port 32165 [ udp_socket ] Source prosody Source Path prosody Port 32165 Host <REMOVED> Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-37.19-1.fc37.noarch Local Policy RPM selinux-policy-targeted-37.19-1.fc37.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name <REMOVED> Platform Linux <REMOVED> 6.1.14-200.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Sun Feb 26 00:13:26 UTC 2023 x86_64 x86_64 Alert Count 5067 First Seen 2022-12-20 05:52:24 CET Last Seen 2023-03-07 08:36:31 CET Local ID 17dee8f0-8676-4293-a36c-50e5faa4cb55 Raw Audit Messages type=AVC msg=audit(1678174591.528:431): avc: denied { name_bind } for pid=4309 comm="prosody" src=32165 scontext=system_u:system_r:prosody_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0 Hash: prosody,prosody_t,unreserved_port_t,udp_socket,name_bind Expected results: No alert. Additional info: The same alert appears with different ports.