Bug 997142
Summary: | SELinux is preventing /usr/libexec/accounts-daemon from using the 'net_bind_service' capabilities. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Rex Dieter <rdieter> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 19 | CC: | bzf, dominick.grift, dwalsh, hhorak, lvrabec, mclasen, mgrepl |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:044e17cfebdc673641b55a814d326b76145806821b65f63da960f4def8164fd3 | ||
Fixed In Version: | selinux-policy-3.12.1-74.3.fc19 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-09-14 02:30:31 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Rex Dieter
2013-08-14 18:45:01 UTC
Description of problem: Just logged in to kde session on f19 x86_64 box (with nfs $HOME, if that matters). Additional info: reporter: libreport-2.1.6 hashmarkername: setroubleshoot kernel: 3.10.5-201.fc19.x86_64 type: libreport Any idea why accountsd would be binding to a port < 1024 honestly no, accountsservice is still largely a black box (with a neato dbus interface) to me. I'll try to ask around and find out though. For what it's worth, it must be temporary (on startup?)... just checked with lsof, and it's currently not listening. Description of problem: See bug 989516 Additional info: reporter: libreport-2.1.6 hashmarkername: setroubleshoot kernel: 3.10.10-200.fc19.x86_64 type: libreport Are you running with NIS? Yes, I am running with NIS. (In reply to Daniel Walsh from comment #6) > Are you running with NIS? Yes, I'm also running NIS. It looks like nis or glibc must have changed to allow priv apps to bind to ports < 1024 fairly recently. I added a dontaudit for this in git. a13733d1b028ec3ca4db41d3468b486113c7da5b, nis should continue to attempt to bind to random ports until it gets one > 1024. *** Bug 1004737 has been marked as a duplicate of this bug. *** Reassigning to ypbind package to see if they know anything. Rex do you know about anything that might have changed to cause this? (In reply to Daniel Walsh from comment #11) > Reassigning to ypbind package to see if they know anything. Well, we did nothing serious in NIS packages (ypserv, ypbind, yp-tools) that could influence SELinux access for couple of months. I also don't understand how did you come to ypbind to cause this problem, since I don't probably understand enough what's happening in accounts-daemon that could be related to NIS. Could anybody explain to me the connection of accounts-daemon and ypbind, please? What I noticed only are some NIS-related changes in selinux-policy, so maybe that could help: * Fri Sep 06 2013 Lukas Vrabec <lvrabec> 3.12.1-74.2 - Dontaudit attempts to bind to ports < 1024 when nis is turned on * Thu Aug 08 2013 Miroslav Grepl <mgrepl> 3.12.1-70 - Make NFS home, NIS authentication and dbus-daemon working * Tue Mar 26 2013 Miroslav Grepl <mgrepl> 3.12.1-24 - Allow yppasswdd to use NIS * Wed Jan 23 2013 Miroslav Grepl <mgrepl> 3.12.1-6 - Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on * Wed Jan 16 2013 Miroslav Grepl <mgrepl> 3.12.1-5 - Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on Ok I think we will just don't audit for now and see if there are other problems. Fixed in 3.12.1-74.2 OK. Changing the component as well so it corresponds with the actual fix made. *** Bug 989516 has been marked as a duplicate of this bug. *** selinux-policy-3.12.1-74.3.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.3.fc19 Package selinux-policy-3.12.1-74.3.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.3.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-16580/selinux-policy-3.12.1-74.3.fc19 then log in and leave karma (feedback). selinux-policy-3.12.1-74.3.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. |