Bug 369371

Summary: SELinux blocking xinetd 590X and 2000
Product: [Fedora] Fedora Reporter: Warren Togami <wtogami>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 8   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-30 19:18:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 188611    

Description Warren Togami 2007-11-07 04:38:15 UTC 
type=AVC msg=audit(1194409964.031:84): avc:  denied  { name_bind } for 
pid=10771 comm="xinetd" src=5902 scontext=system_u:system_r:inetd_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1194409964.031:84): arch=c000003e syscall=49 success=no
exit=-13 a0=6 a1=7fff0ff84d50 a2=1c a3=7fff0ff84d4c items=0 ppid=1 pid=10771
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
comm="xinetd" exe="/usr/sbin/xinetd" subj=system_u:system_r:inetd_t:s0 key=(null)
type=AVC msg=audit(1194409964.031:85): avc:  denied  { name_bind } for 
pid=10771 comm="xinetd" src=5903 scontext=system_u:system_r:inetd_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

vnc-ltsp-config-4.0-3
This package specifies a few ports to be served by xinetd to allow VNC-based
XDMCP logins.  SELInux is blocking this.

type=AVC msg=audit(1194409964.031:83): avc:  denied  { name_bind } for 
pid=10771 comm="xinetd" src=2000 scontext=system_u:system_r:inetd_t:s0
tcontext=system_u:object_r:mail_port_t:s0 tclass=tcp_socket
nbd-server being served by xinetd is also blocked.  nbd-server is on TCP port 2000.

Why is SELinux blocking these ports?
What should we do?
Comment 1 Daniel Walsh 2007-11-07 15:33:48 UTC 
You can add the ports to xinetd by executing

# semanage port -a -t inetd_child_port_t -P tcp 5902
# semanage port -a -t inetd_child_port_t -P tcp 5903

You can add the other rule by executing 

# grep mail_port_t /var/log/audit/audit.log | audit2allow -M myxinetd
#semodule -i myxinetd.pp
Comment 2 Daniel Walsh 2007-11-07 15:35:40 UTC 
I will also put back the uncofined_domain for inetd in Fedora 8.
Comment 3 Warren Togami 2007-11-07 19:35:28 UTC 
> # semanage port -a -t inetd_child_port_t -P tcp 5902
> # semanage port -a -t inetd_child_port_t -P tcp 5903

> # grep mail_port_t /var/log/audit/audit.log | audit2allow -M myxinetd
> #semodule -i myxinetd.pp

I need both of these?

> I will also put back the uncofined_domain for inetd in Fedora 8.

What will the effect of this be?

> semanage port -a -t inetd_child_port_t -P tcp 5902

Is it proper to insert this (and matching removal) into the %post and %preun of
ltsp-vnc-config?
Comment 4 Daniel Walsh 2007-11-07 22:11:19 UTC 
No, I would just wait for the updated policy


Fixed in selinux-policy-targeted-3.0.8-47.fc8.noarch.rpm
Comment 5 Daniel Walsh 2007-11-07 22:24:17 UTC 
Should be 48 not 47
Comment 6 Daniel Walsh 2008-01-30 19:18:38 UTC 
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.