Bug 581634
Summary: | SELinux is preventing /usr/libexec/vino-server "name_bind" access . | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Carl G. <carlg> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 12 | CC: | dwalsh, mgrepl |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | setroubleshoot_trace_hash:e99464acc8deafe248ec2adfe1505ab5303c6ae04da719544e796175ed78e587 | ||
Fixed In Version: | selinux-policy-3.6.32-113.fc12 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-05-03 16:09:12 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Carl G.
2010-04-12 20:24:55 UTC
Miroslav, you are going to need to grab the corenetwork.te.in file from F13. Miroslav you probably want to grab all of the corenetwork files. We found a bug when handling ranges of ports. Sorry if it's a stupid question but... can it explain this AVC : https://bugzilla.redhat.com/show_bug.cgi?id=565374(In reply to comment #2) > Miroslav you probably want to grab all of the corenetwork files. We found a > bug when handling ranges of ports. staff_t is supposed to be allowed to run user apps as server, if the port is > 1024 and the boolean user_tcp_server is turned on. SELinux policy has two attributes associated with port types. All port types have the attribute of port_type and ports less then 1024 have an attribute reserved_port_type. The policy says something like if user_tcp_server { allow staff_t { port_type -reserved_port_type }:tcp_socket name_bind; } But there is a bug in policy that is defining vnc_port_t as a reserved_port_type, even though none of the ports is less then 1024. The bug is in the handling of port ranges, and is fixed in the latest F13 corenetwork.* Thank you for the informative answer Daniel ! (In reply to comment #2) > Miroslav you probably want to grab all of the corenetwork files. We found a > bug when handling ranges of ports. > The bug is in the handling of port ranges, and is fixed in the latest F13 > corenetwork.* Does that mean an update would be available too for F12 ? Yes, I will fix it also in F12. Fixed in selinux-policy-3.6.32-112.fc12 selinux-policy-3.6.32-113.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-113.fc12 selinux-policy-3.6.32-113.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-113.fc12 selinux-policy-3.6.32-113.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. |