Bug 445091
| Summary: | (staff_u) SELinux is preventing the users from running TCP servers in the usedomain. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Matěj Cepl <mcepl> |
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED NOTABUG | QA Contact: | Ben Levenson <benl> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | rawhide | CC: | bnocera, mcepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-05-06 21:08:04 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Note also, that sealert suffers a little schizofrenia: If this system is running as an NIS Client, turning on the allow_ypbind boolean, may fix the problem. setsebool -P allow_ypbind=1. v. If you want to allow user programs to run as TCP Servers, you can turn on the user_tcp_server boolean, by executing: setsebool -P user_tcp_server=1 You are running a service as a confined user, so you need to set the boolean. setroubleshoot tells you what to do. setsebool -P user_tcp_server=1 |
Description of problem: Souhrn: SELinux is preventing the users from running TCP servers in the usedomain. Podrobný popis: [SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena kvůli uvolněnému režimu.] SELinux has denied the rhythmbox program from binding to a network port 3689 which does not have an SELinux type associated with it. rhythmbox does not have an SELinux policy defined for it when run by the user, so it runs in the users domain. SELinux is currently setup to deny TCP server to run within the user domain. If you did not expect programs like rhythmbox to bind to a network port, then this could signal a intrusion attempt. If this system is running as an NIS Client, turning on the allow_ypbind boolean, may fix the problem. setsebool -P allow_ypbind=1. Povolení přístupu: If you want to allow user programs to run as TCP Servers, you can turn on the user_tcp_server boolean, by executing: setsebool -P user_tcp_server=1 Fix Command: setsebool -P user_tcp_server=1 Další informace: Kontext zdroje staff_u:staff_r:staff_t:SystemLow-SystemHigh Kontext cíle system_u:object_r:port_t Objekty cíle None [ tcp_socket ] Zdroj rhythmbox Cesta zdroje /usr/bin/rhythmbox Port 3689 Počítač viklef RPM balíčky zdroje rhythmbox-0.11.5-9.fc9 RPM balíčky cíle RPM politiky selinux-policy-3.3.1-42.fc9 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Permissive Název zásuvného modulu user_tcp_server Název počítače viklef Platforma Linux viklef 2.6.25-14.fc9.i686 #1 SMP Thu May 1 06:28:41 EDT 2008 i686 i686 Počet uporoznění 1 Poprvé viděno So 3. květen 2008, 16:28:55 CEST Naposledy viděno So 3. květen 2008, 16:28:55 CEST Místní ID 9112c82b-b475-4688-a629-e1620a5bd050 Čísla řádků Původní zprávy auditu host=viklef type=AVC msg=audit(1209824935.141:337): avc: denied { name_bind } for pid=9693 comm="rhythmbox" src=3689 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket host=viklef type=SYSCALL msg=audit(1209824935.141:337): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bfdc4c60 a2=7c7f244 a3=8a792e0 items=0 ppid=9457 pid=9693 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=16 comm="rhythmbox" exe="/usr/bin/rhythmbox" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) Additional info: This is while running as staff_u, so I will rather file it against SELinux policy, as it is being more likely broken than Rhythmbox.