Description of problem: ping is execution in its own context (ping_exec_t) and this context is apparently not allowed to use nscd. I get type=AVC msg=audit(1140416086.417:35186): avc: denied { name_connect } for pid=25684 comm="spamassassin" dest=111 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket Version-Release number of selected component (if applicable): selinux-policy-2.2.11-1 How reproducible: always Steps to Reproduce: 1.as root: strace ping www.redhat.com 2. 3. Actual results: above message in audit logs Expected results: nscd used, connect syscall succeeds Additional info:
I pasted the wrong audit message: type=AVC msg=audit(1140416531.597:35201): avc: denied { name_connect } for pid=25810 comm="ping" dest=111 scontext=user_u:system_r:ping_t:s0-s0:c0.c255 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1140416531.597:35201): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=7fffffd87b00 a2=10 a3=3 items=0 pid=25810 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ping" exe="/bin/ping" type=SOCKADDR msg=audit(1140416531.597:35201): saddr=0200006F7F000001301F675555550000 type=AVC msg=audit(1140416531.597:35202): avc: denied { name_bind } for pid=25810 comm="ping" src=970 scontext=user_u:system_r:ping_t:s0-s0:c0.c255 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1140416531.597:35202): arch=c000003e syscall=49 success=no exit=-13 a0=4 a1=7fffffd878a0 a2=10 a3=3 items=0 pid=25810 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ping" exe="/bin/ping" type=SOCKADDR msg=audit(1140416531.597:35202): saddr=020003CA000000000000000000000000 type=AVC msg=audit(1140416531.597:35203): avc: denied { name_connect } for pid=25810 comm="ping" dest=111 scontext=user_u:system_r:ping_t:s0-s0:c0.c255 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1140416531.597:35203): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=7fffffd87b00 a2=10 a3=3 items=0 pid=25810 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ping" exe="/bin/ping" type=SOCKADDR msg=audit(1140416531.597:35203): saddr=0200006F7F000001301F675555550000 type=AVC msg=audit(1140416531.597:35204): avc: denied { name_connect } for pid=25810 comm="ping" dest=111 scontext=user_u:system_r:ping_t:s0-s0:c0.c255 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1140416531.597:35204): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=7fffffd87b30 a2=10 a3=0 items=0 pid=25810 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ping" exe="/bin/ping" type=SOCKADDR msg=audit(1140416531.597:35204): saddr=0200006F7F000001CAA44921952B0000 type=AVC msg=audit(1140416531.597:35205): avc: denied { name_bind } for pid=25810 comm="ping" src=971 scontext=user_u:system_r:ping_t:s0-s0:c0.c255 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1140416531.597:35205): arch=c000003e syscall=49 success=no exit=-13 a0=4 a1=7fffffd878d0 a2=10 a3=3 items=0 pid=25810 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ping" exe="/bin/ping" type=SOCKADDR msg=audit(1140416531.597:35205): saddr=020003CB000000000000000000000000 type=AVC msg=audit(1140416531.597:35206): avc: denied { name_connect } for pid=25810 comm="ping" dest=111 scontext=user_u:system_r:ping_t:s0-s0:c0.c255 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1140416531.597:35206): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=7fffffd87b30 a2=10 a3=3 items=0 pid=25810 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ping" exe="/bin/ping" type=SOCKADDR msg=audit(1140416531.597:35206): saddr=0200006F7F000001CAA44921952B0000
Do you have ypbind running on your machine, if so is the allow_ypbind boolean turned on?
Yes, I'm using ypbind and /selinux/boolean/allow_yobind contains 0 0. But it's also nscd I worry about: fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK) = 0 connect(4, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 EACCES (Permission denied) nscd access is also not allowed.
FIxed in rawhide.