Bug 688866

Summary: Allow BIND to bind(2) port 80
Product: [Fedora] Fedora Reporter: Adam Tkac <atkac>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: atkac, dwalsh, ovasik
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-04-04 16:55:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Adam Tkac 2011-03-18 10:29:04 UTC 
Description of problem:
BIND has a feature to export server statistics through HTTP. However this feature is currently unusable because SELinux denies BIND to bind(2) port 80.

Version-Release number of selected component (if applicable):
# rpm -q selinux-policy-targeted
selinux-policy-targeted-3.9.16-4.fc16.noarch

How reproducible:
always
  
Actual results:
bind(2) is denied:

type=AVC msg=audit(1300449619.385:15): avc:  denied  { name_bind } for  pid=1186 comm="named" src=80 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1300449619.385:15): arch=c000003e syscall=49 success=yes exit=0 a0=14 a1=7ff1de4d7600 a2=10 a3=7ff1de4d7210 items=0 ppid=1183 pid=1186 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null)

Expected results:
successful bind(2)

Let me know if you need more information.
Comment 1 Adam Tkac 2011-03-18 10:29:49 UTC 
Oops, set wrong component. Changing to selinux-policy-targeted.
Comment 2 Miroslav Grepl 2011-03-18 11:15:07 UTC 
Should we allow it by default?
Comment 3 Adam Tkac 2011-03-18 11:23:38 UTC 
(In reply to comment #2)
> Should we allow it by default?

If you would like to add new selinux boolean then disable it by default. Not sure if there is another way how to disable enforcing of this rule by default.
Comment 4 Daniel Walsh 2011-03-18 14:06:53 UTC 
Should be a boolean.

named_bind_http_port

Off by default.
Comment 5 Adam Tkac 2011-03-18 14:55:14 UTC 
(In reply to comment #4)
> Should be a boolean.
> 
> named_bind_http_port
> 
> Off by default.

Sounds fine for me.
Comment 6 Miroslav Grepl 2011-04-04 16:55:01 UTC 
Should be fixed in the latest f15 policy.