I think I've run into this bug, just on Fedora 20 ( +++ This bug was initially created as a clone of Bug #1031324 +++ yum install uucp systemctl enable uucp.socket reboot You get the following avcs: type=AVC msg=audit(1384633888.838:16): avc: denied { name_bind } for pid=1 comm="systemd" src=540 scontext=system_u:system_r:uucpd_t:s0 tcontext=system_u:object_r:uucpd_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1384633996.651:651): avc: denied { name_bind } for pid=1 comm="systemd" src=540 scontext=system_u:system_r:uucpd_t:s0 tcontext=system_u:object_r:uucpd_port_t:s0 tclass=tcp_socket Policy should allow uucp.socket to bind to the uucpd port. --- Additional comment from Daniel Walsh on 2013-11-18 11:42:41 EST --- commit d964a0398b3ce94ff4cbc25fc503ae15f6653394 fixes this in git. ====================================================================================================== This is the information collected by setroubleshoot: SELinux is preventing systemd from 'name_bind' accesses on the tcp_socket . ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd should be allowed name_bind access on the tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:uucpd_t:s0 Target Context system_u:object_r:uucpd_port_t:s0 Target Objects [ tcp_socket ] Source systemd Source Path systemd Port 540 Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.12.1-122.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.13.3-201.fc20.x86_64 #1 SMP Fri Feb 14 19:08:32 UTC 2014 x86_64 x86_64 Alert Count 9 First Seen 2014-02-20 01:21:18 CET Last Seen 2014-02-20 16:14:29 CET Local ID 33aead1f-6cee-4790-a8bd-3257ff8dfa54 Raw Audit Messages type=AVC msg=audit(1392909269.380:418): avc: denied { name_bind } for pid=1 comm="systemd" src=540 scontext=system_u:system_r:uucpd_t:s0 tcontext=system_u:object_r:uucpd_port_t:s0 tclass=tcp_socket Hash: systemd,uucpd_t,uucpd_port_t,tcp_socket,name_bind
BTW, Dan: > --- Additional comment from Daniel Walsh on 2013-11-18 11:42:41 EST --- > > commit d964a0398b3ce94ff4cbc25fc503ae15f6653394 fixes this in git. Where is this repository? If it's private, the commit hash isn't very informative... Trying to correlate comment dates, RPM changelog entries to find what change you implemented didn't work out as well.
Here's the module which makes this work again for me: --- 8< --- localtmpselinuxuucp.te --- module localtmpselinuxuucp 1.0; require { type uucpd_port_t; type uucpd_t; class tcp_socket name_bind; } #============= uucpd_t ============== allow uucpd_t uucpd_port_t:tcp_socket name_bind; --- >8 ------------------------------
We have these rules in Rawhide.
(In reply to Daniel Walsh from comment #3) > We have these rules in Rawhide. Hmm, I meant that I didn't find a place where this commit hash is known, not upstream, not the Fedora dist-git: --- 8< --- nils@gibraltar:~/devel/git/fedora/selinux-policy (master)> git pull remote: Counting objects: 9, done. remote: Compressing objects: 100% (5/5), done. remote: Total 5 (delta 4), reused 0 (delta 0) Unpacking objects: 100% (5/5), done. From ssh://pkgs.fedoraproject.org/selinux-policy 450ad89..74ec503 master -> origin/master First, rewinding head to replay your work on top of it... Fast-forwarded master to 74ec503d1c10481ee512c8fcb11060d4c1f50408. nils@gibraltar:~/devel/git/fedora/selinux-policy (master)> git show d964a0398b3ce94ff4cbc25fc503ae15f6653394 fatal: bad object d964a0398b3ce94ff4cbc25fc503ae15f6653394 nils@gibraltar:~/devel/git/fedora/selinux-policy (master)> --- >8 ---
https://git.fedorahosted.org/git/selinux-policy.git commit 61a37e3952fac15bd2b83e4b51a0be14a3195dbf Author: Miroslav Grepl <mgrepl> Date: Mon Feb 24 13:09:49 2014 +0100 Back port uucpd changes from rawhide
selinux-policy-3.12.1-127.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/FEDORA-2014-2801/selinux-policy-3.12.1-127.fc20
Package selinux-policy-3.12.1-127.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-127.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-2801/selinux-policy-3.12.1-127.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-127.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.