Bug 783924

Summary: unable to start ktorrent
Product: [Fedora] Fedora Reporter: Marcus Moeller <marcus.moeller>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-01-23 13:14:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Marcus Moeller 2012-01-23 09:36:43 UTC 
Description of problem:
We are using staff_u. After the latest policy update, we are unable to start ktorrent (and maybe similar applications that are binding sockets):

="ktorrent" exe="/usr/bin/ktorrent" subj=staff_u:staff_r:staff_t:s0 key=(null)
type=AVC msg=audit(1327310917.747:243): avc:  denied  { name_bind } for  pid=4495 comm="ktorrent" src=6881 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1327310917.747:243): arch=c000003e syscall=49 success=no exit=-13 a0=10 a1=168a6b0 a2=10 a3=7fffcb0ee9cc items=0 ppid=4494 pid=4495 auid=19187 uid=19187 gid=1029 euid=19187 suid=19187 fsuid=19187 egid=1029 sgid=1029 fsgid=1029 tty=(none) ses=5 comm="ktorrent" exe="/usr/bin/ktorrent" subj=staff_u:staff_r:staff_t:s0 key=(null)

audit2allow output:

#============= staff_t ==============                                                                          
#!!!! This avc can be allowed using one of the these booleans:                                                                       

#     user_tcp_server, allow_ypbind                                                                                                   
allow staff_t unreserved_port_t:tcp_socket name_bind;

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.10.0-72.fc16.noarch
Comment 1 Miroslav Grepl 2012-01-23 13:14:46 UTC 
You will need to turn on the user_tcp_server boolean.

setsebool -P user_tcp_server 1
Comment 2 Marcus Moeller 2012-01-23 13:23:50 UTC 
That's clear. The question is why it's disable now by default. This prevents users from starting a lot of programs.