Bug 521406

Summary: setroubleshoot: SELinux is preventing chronyd from binding to port 323.
Product: [Fedora] Fedora Reporter: Nicolas Mailhot <nicolas.mailhot>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dwalsh, jkubin, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:2911f1da200718ba8aa48ef6ecf728d60df5344ed6e33eeab68b0aa1a1ff7256
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-08 22:31:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nicolas Mailhot 2009-09-05 14:42:39 UTC 
The following was filed automatically by setroubleshoot:

Résumé:

SELinux is preventing chronyd from binding to port 323.

Description détaillée:

[chronyd has a permissive type (initrc_t). This access was not denied.]

SELinux has denied the chronyd from binding to a network port 323 which does not
have an SELinux type associated with it. If chronyd should be allowed to listen
on 323, use the semanage command to assign 323 to a port type that initrc_t can
bind to ().
If chronyd is not supposed to bind to 323, this could signal an intrusion
attempt.

Autoriser l'accès:

If you want to allow chronyd to bind to port 323, you can execute
# semanage port -a -t PORT_TYPE -p udp 323
where PORT_TYPE is one of the following: .
If this system is running as an NIS Client, turning on the allow_ypbind boolean
may fix the problem. setsebool -P allow_ypbind=1.

Informations complémentaires:

Contexte source               system_u:system_r:initrc_t:s0
Contexte cible                system_u:object_r:reserved_port_t:s0
Objets du contexte            None [ udp_socket ]
source                        chronyd
Chemin de la source           /usr/sbin/chronyd
Port                          323
Hôte                         (removed)
Paquetages RPM source         chrony-1.23-7.20081106gitbe42b4.fc12
Paquetages RPM cible          
Politique RPM                 selinux-policy-3.6.30-2.fc12
Selinux activé               True
Type de politique             targeted
MLS activé                   True
Mode strict                   Enforcing
Nom du plugin                 bind_ports
Nom de l'hôte                (removed)
Plateforme                    Linux (removed) 2.6.31-0.203.rc8.git2.fc12.x86_64
                              #1 SMP Fri Sep 4 21:33:05 EDT 2009 x86_64 x86_64
Compteur d'alertes            5
Première alerte              sam. 05 sept. 2009 16:01:58 CEST
Dernière alerte              sam. 05 sept. 2009 16:26:35 CEST
ID local                      3307b1e5-5865-4d39-a67e-af3dc9542b99
Numéros des lignes           

Messages d'audit bruts        

node=(removed) type=AVC msg=audit(1252160795.293:25): avc:  denied  { name_bind } for  pid=1543 comm="chronyd" src=323 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=udp_socket

node=(removed) type=SYSCALL msg=audit(1252160795.293:25): arch=c000003e syscall=49 success=yes exit=0 a0=2 a1=7fffe48ce630 a2=10 a3=7fffe48ce62c items=0 ppid=1 pid=1543 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chronyd" exe="/usr/sbin/chronyd" subj=system_u:system_r:initrc_t:s0 key=(null)


audit2allow suggests:

#============= initrc_t ==============
allow initrc_t reserved_port_t:udp_socket name_bind;
Comment 1 Daniel Walsh 2009-09-08 22:31:23 UTC 
Fixed in selinux-policy-3.6.30-6.fc12.noarch