Bug 137689 - portmap policy not accounting for netlink socket
Summary: portmap policy not accounting for netlink socket
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted   
(Show other bugs)
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
Keywords: SELinux
Depends On:
Blocks: FC3Blocker
TreeView+ depends on / blocked
Reported: 2004-10-30 18:38 UTC by Ulrich Drepper
Modified: 2007-11-30 22:10 UTC (History)
0 users

Fixed In Version: 1.17.30-2.14
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-11-01 18:56:21 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
add required permissions (434 bytes, patch)
2004-10-30 18:38 UTC, Ulrich Drepper
no flags Details | Diff

Description Ulrich Drepper 2004-10-30 18:38:54 UTC
Description of problem:
The portmap daemon does not start up with the current targeted policy since it
is not allowed to use the route netlink socket.  This is used through the glibc
functions related to RPC.  It's only read access which is needed, similar to
what has been done for nscd.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.start portmap
Actual results:
Oct 30 11:24:05 fw kernel: audit(1099160645.162:0): avc:  denied  { create } for
 pid=2209 exe=/sbin/portmap scontext=user_u:system_r:portmap_t
tcontext=user_u:system_r:portmap_t tclass=netlink_route_socket

Expected results:
No such message

Additional info:
The attached patch fixes the problem for me.

Comment 1 Ulrich Drepper 2004-10-30 18:38:55 UTC
Created attachment 105980 [details]
add required permissions

Comment 2 Daniel Walsh 2004-11-01 18:45:15 UTC
Fixed in selinux-policy-targeted-1.17.30-2.14

Comment 3 Ulrich Drepper 2004-11-01 18:56:21 UTC
Confirmed fixed.

Note You need to log in before you can comment on or make changes to this bug.