Hide Forgot
Description of problem: 1. firewall-cmd --add-service=icecream-scheduler 2. systemctl start icecream-scheduler SELinux is preventing icecc-scheduler from 'name_bind' accesses on the udp_socket port 8765. ***** Plugin bind_ports (99.5 confidence) suggests ************************ If you want to allow icecc-scheduler to bind to network port 8765 Then you need to modify the port type. Do # semanage port -a -t PORT_TYPE -p udp 8765 where PORT_TYPE is one of the following: icecc_scheduler_port_t, lirc_port_t. ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that icecc-scheduler should be allowed name_bind access on the port 8765 udp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'icecc-scheduler' --raw | audit2allow -M my-iceccscheduler # semodule -X 300 -i my-iceccscheduler.pp Additional Information: Source Context system_u:system_r:icecc_scheduler_t:s0 Target Context system_u:object_r:unreserved_port_t:s0 Target Objects port 8765 [ udp_socket ] Source icecc-scheduler Source Path icecc-scheduler Port 8765 Host (removed) Source RPM Packages Target RPM Packages Policy RPM <Unknown> Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.7.9-200.fc24.x86_64 #1 SMP Thu Oct 20 14:26:16 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-11-04 10:41:37 CET Last Seen 2016-11-04 10:41:37 CET Local ID 286b9768-bfcc-40c9-b001-516de8789a0c Raw Audit Messages type=AVC msg=audit(1478252497.21:6033): avc: denied { name_bind } for pid=28450 comm="icecc-scheduler" src=8765 scontext=system_u:system_r:icecc_scheduler_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0 Hash: icecc-scheduler,icecc_scheduler_t,unreserved_port_t,udp_socket,name_bind Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.9-200.fc24.x86_64 type: libreport
The policy for icecream is shipped in the icecream package. Reassigning to myself. I already noticed this avc on my system while working on bug 1389570.
icecream-1.1-0.3.rc2.ga79f70f.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-330757967d
icecream-1.1-0.3.rc2.ga79f70f.fc24.1 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-39d33df0e3
icecream-1.1-0.3.rc2.ga79f70f.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-330757967d
Thanks for pushing the update. This is not resolved for me by installing icecream 1.1-0.3.rc2.ga79f70f.fc25 from testing-updates. after `sudo systemctl start icecc-scheduler` SELinux Troubleshooter says: SELinux is preventing icecc-scheduler from name_bind access on the udp_socket port 8765. I also tried installing selinux-policy 3.13.1-222.fc25, but the exception still occurs.
Where you running the updated kernel at the time, Ralph? I also got this on one of three test machines, and that machine hadn’t been rebooted with the updated kernel that introduced the original problem.
I did try rebooting. The machine is running kernel 4.8.6-300.fc25.x86_64.
icecream-1.1-0.3.rc2.ga79f70f.fc24.1 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-39d33df0e3
Ralph, please attach the output of "semanage port -l" (as root).
Created attachment 1219485 [details] semanage port -l on Fedora 25 $ sudo semanage port -l | grep 8765 lirc_port_t tcp 8765 $ sudo semanage port -l | grep ice icecc_scheduler_port_t tcp 8766 iceccd_port_t tcp 10245 Port list from https://github.com/icecc/icecream TCP/10245 on the daemon computers (required) TCP/8765 for the the scheduler computer (required) TCP/8766 for the telnet interface to the scheduler (optional) UDP/8765 for broadcast to find the scheduler (optional)
The %post script of the package should have marked UDP port 8765 as icecc_scheduler_port_t. I don't know why it was not successful on your system. You can see the script in the package: rpm -q --qf '%{postin}' icecream The relevant part is this loop: for selinuxvariant in mls strict targeted; do { echo "port -a -S ${selinuxvariant} -t iceccd_port_t -p tcp 10245" echo "port -a -S ${selinuxvariant} -t icecc_scheduler_port_t -p tcp 8766" echo "port -a -S ${selinuxvariant} -t icecc_scheduler_port_t -p udp 8765" # tcp 8765 is taken by LIRC. icecream.te knows it. # echo "port -a -S ${selinuxvariant} -t icecc_scheduler_port_t -p tcp 8765" } | semanage -i - 2>/dev/null done Try running it manually. Remove the "2>/dev/null" redirection to see possible errors.
Running the `semanage port` command manually resolves the issue. So why isn't the postin script working? On a different machine I confirmed the bug by installing icecream, trying to start icecc-scheduler, upgrading to the version in testing-updates, trying to start again. I then did: $ for selinuxvariant in mls strict targeted; do echo "port -a -S ${selinuxvariant} -t icecc_scheduler_port_t -p udp 8765" | sudo semanage -i -; done ValueError: Port udp/8765 already defined ValueError: Port udp/8765 already defined $ sudo semanage port -l | grep 8765 [sudo] password for giles: icecc_scheduler_port_t udp 8765 lirc_port_t tcp 8765 Which shows the port added. After that, I was able to start the service.
semanage behaves differently than I expected. When given multiple commands in the input, it quits immediately after encountering an error. When upgrading from a previous version of icecream, port tcp/10245 is already defined, so the command to add udp/8765 is not even reached. I will change the scriptlet to define the ports in separate semanage calls for robustness.
icecream-1.1-0.5.rc2.ga79f70f.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-330757967d
icecream-1.1-0.5.rc2.ga79f70f.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-39d33df0e3
icecream-1.1-0.5.rc2.ga79f70f.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-39d33df0e3
icecream-1.1-0.5.rc2.ga79f70f.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-330757967d
icecream-1.1-0.5.rc2.ga79f70f.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
icecream-1.1-0.5.rc2.ga79f70f.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.