Bug 562179
| Summary: | SELinux is preventing /usr/sbin/winbindd from connecting to port 1025. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | James Matelski <jmatelski> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 12 | CC: | dwalsh, gdeschner, jlayton, mgrepl, ssorce |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:e96ca427220bcde99f81887526d1751bc722595481d1920523e17dbe7e6e5a57 | ||
| Fixed In Version: | selinux-policy-3.6.32-89.fc12 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-02-20 00:21:34 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Why is winbind tring to connect to port 1025? This looks like local customization. What is listening at port 1025? No local customizations have been made. Winbind is being used only to authenticate with a Windows 2003 Active Directory domain, which was configured using the standard Fedora 12 dialog boxes. No direct editing was done to the smb.conf or system-auth files. To my knowledge port 1025 should be used for anything as a listening port, which is rather unusual why the message started appearing. It's been going on for about 3 weeks after the latest round of patches. Hey samba guys, any idea why winbind would be trying to connect to port 1025? Dan, Winbind contacts the Domain Controller's End Point Mapper to set up an MS-RPC connection over TCP. The EPM runs on port 135 and can return any port between the ranges 1025-5000 and 49152-65535. 1025 is quite common. This document [1] describes all the ports Winbindd and smbd should be able to get access to. Please note also the Global Catalog(GC) ports (3268,3269). Simo. [1] http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx Miroslav add corenet_tcp_connect_all_unreserved_ports(winbind_t) Fixed in selinux-policy-3.6.32-86.fc12 selinux-policy-3.6.32-89.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-89.fc12 selinux-policy-3.6.32-89.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1836 selinux-policy-3.6.32-89.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. |
Summary: SELinux is preventing /usr/sbin/winbindd from connecting to port 1025. Detailed Description: SELinux has denied winbindd from connecting to a network port 1025 which does not have an SELinux type associated with it. If winbindd should be allowed to connect on 1025, use the semanage command to assign 1025 to a port type that winbind_t can connect to (smbd_port_t, ldap_port_t, dns_port_t, kerberos_port_t, ocsp_port_t). If winbindd is not supposed to connect to 1025, this could signal a intrusion attempt. Allowing Access: If you want to allow winbindd to connect to 1025, you can execute semanage port -a -t PORT_TYPE -p tcp 1025 where PORT_TYPE is one of the following: smbd_port_t, ldap_port_t, dns_port_t, kerberos_port_t, ocsp_port_t. Additional Information: Source Context system_u:system_r:winbind_t:s0 Target Context system_u:object_r:port_t:s0 Target Objects None [ tcp_socket ] Source winbindd Source Path /usr/sbin/winbindd Port 1025 Host (removed) Source RPM Packages samba-winbind-3.4.5-55.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-78.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name connect_ports Host Name (removed) Platform Linux (removed) 2.6.31.12-174.2.3.fc12.i686.PAE #1 SMP Mon Jan 18 20:06:44 UTC 2010 i686 i686 Alert Count 2 First Seen Fri 05 Feb 2010 08:25:33 AM CST Last Seen Fri 05 Feb 2010 08:25:37 AM CST Local ID 9df4ad40-b242-4a8c-bae2-a1e965a34608 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1265379937.25:27475): avc: denied { name_connect } for pid=1224 comm="winbindd" dest=1025 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket node=(removed) type=SYSCALL msg=audit(1265379937.25:27475): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfc296e0 a2=7b0ff4 a3=1b6a108 items=0 ppid=1 pid=1224 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="winbindd" exe="/usr/sbin/winbindd" subj=system_u:system_r:winbind_t:s0 key=(null) Hash String generated from selinux-policy-3.6.32-78.fc12,connect_ports,winbindd,winbind_t,port_t,tcp_socket,name_connect audit2allow suggests: #============= winbind_t ============== #!!!! This avc can be allowed using the boolean 'allow_ypbind' allow winbind_t port_t:tcp_socket name_connect;