| Summary: | new avcs since fixfiles restore and reboot | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Nicolas Mailhot <nicolas.mailhot> |
| Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED RAWHIDE | QA Contact: | Ben Levenson <benl> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | dwalsh |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-01-30 10:41:49 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
I know nothing of bittlebee, should it be allowed to connect to these ports by default? 6777, 7000, (In reply to comment #1) > I know nothing of bittlebee, should it be allowed to connect to these ports by > default? > > 6777, > 7000, /usr/bin/bip is an irc proxy so it needs connecting to usual irc ports to proxy them Port 7000 is used by irc.freenode.net for ssl-irc Port 6667 is the default non-secure irc port used by pretty much everyone else Yes, this relates with the latest changes. +/usr/bin/bip -- gen_context(system_u:object_r:bitlbee_exec_t,s0) which I added. |
Description of problem: # ausearch -m avc -ts '10:44:35' ---- time->Sat Jan 28 10:44:49 2012 type=AVC msg=audit(1327743889.191:23): avc: denied { read } for pid=1 comm="systemd" name="postfix" dev="dm-1" ino=92340 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir ---- time->Sat Jan 28 10:46:27 2012 type=SYSCALL msg=audit(1327743987.466:69): arch=c000003e syscall=42 success=no exit=-115 a0=1 a1=7f1888ab9bf0 a2=1c a3=7fff30ac3a90 items=0 ppid=1 pid=1934 auid=4294967295 uid=478 gid=473 euid=478 suid=478 fsuid=478 egid=473 sgid=473 fsgid=473 tty=(none) ses=4294967295 comm="bip" exe="/usr/bin/bip" subj=system_u:system_r:bitlbee_t:s0 key=(null) type=AVC msg=audit(1327743987.466:69): avc: denied { name_connect } for pid=1934 comm="bip" dest=7000 scontext=system_u:system_r:bitlbee_t:s0 tcontext=system_u:object_r:gatekeeper_port_t:s0 tclass=tcp_socket ---- time->Sat Jan 28 10:46:27 2012 type=SYSCALL msg=audit(1327743987.763:70): arch=c000003e syscall=42 success=no exit=-115 a0=2 a1=7f1888abb5d0 a2=10 a3=a items=0 ppid=1 pid=1934 auid=4294967295 uid=478 gid=473 euid=478 suid=478 fsuid=478 egid=473 sgid=473 fsgid=473 tty=(none) ses=4294967295 comm="bip" exe="/usr/bin/bip" subj=system_u:system_r:bitlbee_t:s0 key=(null) type=AVC msg=audit(1327743987.763:70): avc: denied { name_connect } for pid=1934 comm="bip" dest=6667 scontext=system_u:system_r:bitlbee_t:s0 tcontext=system_u:object_r:ircd_port_t:s0 tclass=tcp_socket # dmesg|grep avc [ 25.982265] type=1400 audit(1327743829.366:4): avc: denied { read } for pid=510 comm="multipath" name="nr_open" dev="proc" ino=11900 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file [ 25.982392] type=1400 audit(1327743829.366:5): avc: denied { open } for pid=510 comm="multipath" name="nr_open" dev="proc" ino=11900 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file [ 25.982557] type=1400 audit(1327743829.366:6): avc: denied { getattr } for pid=510 comm="multipath" path="/proc/sys/fs/nr_open" dev="proc" ino=11900 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file [ 66.219993] type=1400 audit(1327743869.604:7): avc: denied { setsched } for pid=489 comm="udevd" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=process Version-Release number of selected component (if applicable): kernel-3.3.0-0.rc1.git4.1.fc17.x86_64 selinux-policy-targeted-3.10.0-80.fc17.noarch systemd-39-1.fc17.x86_64 udev-179-1.fc17.x86_64