Description of problem: the netdump script's attempt to traceroute to the netdump server fails when selinux enforcing mode is enabled. Version-Release number of selected component (if applicable): selinux-policy-targeted-2.2.25-3.fc5 How reproducible: always. This only causes netdump to fail if netdump server is not on the same subnet as client (since the netdump script falls back to the assumption that they are on the same subnet) Steps to Reproduce: 1. enable netdump 2. netdump configuration is: NETDUMPADDR=XXX.XXX.XXX.XXX NETDUMPKEYEXCHANGE=none 3. Actual results: netdump script displays cannot traceroute to XXX.XXX.XXX.XXX on interface eth0 and selinux logs: audit(1144286449.407:2): avc: denied { use } for pid=1582 comm="traceroute" name="console" dev=tmpfs ino=649 scontext=system_u:system_r:traceroute_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fd audit(1144286449.411:3): avc: denied { name_bind } for pid=1582 comm="traceroute" src=64000 scontext=system_u:system_r:traceroute_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket Expected results: Additional info: Other relevant packages: netdump-0.7.14-1.2.1 kernel-2.6.16-1.2080_FC5 policycoreutils-1.30.1-3.fc5
Why is traceroute trying to name_bind on port 64000?
(In reply to comment #2) > Why is traceroute trying to name_bind on port 64000? How am I supposed to answer this? traceroute-1.0.4 does use a non-anonymous bind on it's main udp socket. I don't know what purpose it serves.
Now you know my pain. :^) Ok, I looked at the code and it wants to bind to ports starting at 64000. So I am updating rawhide with this fix and it will be in FC5 next week. fixed in selinux-policy-2.2.38-2
Closing bugs