Bug 470849

Summary: SELinux is preventing the dnsmasq (dnsmasq_t) from binding to random ports
Product: [Fedora] Fedora Reporter: Matěj Cepl <mcepl>
Component: libvirtAssignee: Daniel Veillard <veillard>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: berrange, clalance, crobinso, dwalsh, tcallawa, veillard
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-11-10 15:24:51 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On:    
Bug Blocks: 438943    

Description Matěj Cepl 2008-11-10 11:29:54 EST
This is one example, these are random ports dnsmasq is trying to attach when running RHEL4 in the kvm virtual machine (host is Rawhide).

Description of problem:
SELinux is preventing the dnsmasq (dnsmasq_t) from binding to port 16223.

Podrobný popis:

SELinux has denied the dnsmasq from binding to a network port 16223 which does
not have an SELinux type associated with it. If dnsmasq is supposed to be
allowed to listen on this port, you can use the semanage command to add this
port to a port type that dnsmasq_t can bind to. semanage port -l will list all
port types. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the selinux-policy
package. If dnsmasq is not supposed to bind to this port, this could signal a
intrusion attempt. If this system is running as an NIS Client, turning on the
allow_ypbind boolean, may fix the problem. setsebool -P allow_ypbind=1.

Povolení přístupu:

If you want to allow dnsmasq to bind to this port semanage port -a -t PORT_TYPE
-p PROTOCOL 16223 Where PORT_TYPE is a type that dnsmasq_t can bind and PROTOCOL
is udp or tcp.

Další informace:

Kontext zdroje                system_u:system_r:dnsmasq_t
Kontext cíle                 system_u:object_r:port_t
Objekty cíle                 None [ udp_socket ]
Zdroj                         dnsmasq
Cesta zdroje                  /usr/sbin/dnsmasq
Port                          16223
Počítač                    hubmaier.ceplovi.cz
RPM balíčky zdroje          dnsmasq-2.45-1.fc10
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.5.13-11.fc10
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     bind_ports
Název počítače            hubmaier.ceplovi.cz
Platforma                     Linux hubmaier.ceplovi.cz 2.6.27.4-79.fc10.x86_64
                              #1 SMP Tue Nov 4 21:23:33 EST 2008 x86_64 x86_64
Počet upozornění           37
Poprvé viděno               Po 10. listopad 2008, 15:35:44 CET
Naposledy viděno             Po 10. listopad 2008, 17:09:53 CET
Místní ID                   582988a1-946c-4ccd-bbf6-78a899cda8dc
Čísla řádků              

Původní zprávy auditu      

node=hubmaier.ceplovi.cz type=AVC msg=audit(1226333393.929:245): avc:  denied  { name_bind } for  pid=2554 comm="dnsmasq" src=16223 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket

node=hubmaier.ceplovi.cz type=SYSCALL msg=audit(1226333393.929:245): arch=c000003e syscall=49 success=no exit=-13 a0=b a1=7fff064cd8e0 a2=10 a3=1999999999999999 items=0 ppid=2513 pid=2554 auid=4294967295 uid=99 gid=40 euid=99 suid=99 fsuid=99 egid=40 sgid=40 fsgid=40 tty=(none) ses=4294967295 comm="dnsmasq" exe="/usr/sbin/dnsmasq" subj=system_u:system_r:dnsmasq_t:s0 key=(null)
Comment 1 John Poelstra 2008-11-10 13:33:11 EST
Not sure if this should be a blocker, but starting there.
Comment 2 Daniel Walsh 2008-11-10 13:58:23 EST
This is fixed in selinux-policy-3.5.13-18.fc10  which I have already requested be put in the final release.
Comment 3 Tom "spot" Callaway 2008-11-10 15:24:51 EST
selinux-policy-3.5.13-18.fc10 is tagged for f10-final.