Bug 137689 - portmap policy not accounting for netlink socket
portmap policy not accounting for netlink socket
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
: SELinux
Depends On:
Blocks: FC3Blocker
  Show dependency treegraph
 
Reported: 2004-10-30 14:38 EDT by Ulrich Drepper
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version: 1.17.30-2.14
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-11-01 13:56:21 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
add required permissions (434 bytes, patch)
2004-10-30 14:38 EDT, Ulrich Drepper
no flags Details | Diff

  None (edit)
Description Ulrich Drepper 2004-10-30 14:38:54 EDT
Description of problem:
The portmap daemon does not start up with the current targeted policy since it
is not allowed to use the route netlink socket.  This is used through the glibc
functions related to RPC.  It's only read access which is needed, similar to
what has been done for nscd.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.11

How reproducible:
always

Steps to Reproduce:
1.start portmap
2.
3.
  
Actual results:
Oct 30 11:24:05 fw kernel: audit(1099160645.162:0): avc:  denied  { create } for
 pid=2209 exe=/sbin/portmap scontext=user_u:system_r:portmap_t
tcontext=user_u:system_r:portmap_t tclass=netlink_route_socket


Expected results:
No such message

Additional info:
The attached patch fixes the problem for me.
Comment 1 Ulrich Drepper 2004-10-30 14:38:55 EDT
Created attachment 105980 [details]
add required permissions
Comment 2 Daniel Walsh 2004-11-01 13:45:15 EST
Fixed in selinux-policy-targeted-1.17.30-2.14
Comment 3 Ulrich Drepper 2004-11-01 13:56:21 EST
Confirmed fixed.

Note You need to log in before you can comment on or make changes to this bug.