Bug 201204 - avc denied name_bind and name_connect for smbd
avc denied name_bind and name_connect for smbd
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-08-03 11:47 EDT by Orion Poplawski
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-08-03 16:25:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2006-08-03 11:47:24 EDT
Description of problem:

Seeing the following in the logs:

Aug  2 21:01:22 saga kernel: audit(1154574082.852:709): avc:  denied  {
name_bind } for  pid=22314 comm="smbd" src=631
scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:ipp_port_t:s0
tclass=udp_socket
Aug  2 21:01:22 saga kernel: audit(1154574082.856:710): avc:  denied  {
name_bind } for  pid=22314 comm="smbd" src=636
scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0
tclass=udp_socket
Aug  3 09:37:58 saga kernel: audit(1154619478.536:1002): avc:  denied  {
name_bind } for  pid=3075 comm="smbd" src=679
scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:reserved_port_t:s0 tclass=udp_socket
Aug  3 09:37:58 saga kernel: audit(1154619478.536:1003): avc:  denied  {
name_connect } for  pid=3075 comm="smbd" dest=111
scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket
Aug  3 09:37:58 saga kernel: audit(1154619478.540:1004): avc:  denied  {
name_bind } for  pid=3075 comm="smbd" src=680
scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket
Aug  3 09:37:58 saga kernel: audit(1154619478.540:1005): avc:  denied  {
name_connect } for  pid=3075 comm="smbd" dest=684
scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket
Aug  3 09:38:00 saga kernel: audit(1154619480.192:1006): avc:  denied  {
name_bind } for  pid=3075 comm="smbd" src=750
scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:kerberos_port_t:s0 tclass=udp_socket
Aug  3 09:38:00 saga kernel: audit(1154619480.888:1007): avc:  denied  {
name_bind } for  pid=3075 comm="smbd" src=847
scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:dhcpd_port_t:s0
tclass=udp_socket
Aug  3 09:38:01 saga kernel: audit(1154619481.068:1009): avc:  denied  {
name_bind } for  pid=3075 comm="smbd" src=873
scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:rsync_port_t:s0
tclass=udp_socket
Aug  3 09:38:01 saga kernel: audit(1154619481.320:1010): avc:  denied  {
name_bind } for  pid=3075 comm="smbd" src=891
scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:object_r:inetd_child_port_t:s0 tclass=udp_socket
Aug  3 09:38:03 saga kernel: audit(1154619483.840:1011): avc:  denied  {
name_bind } for  pid=3075 comm="smbd" src=631
scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:ipp_port_t:s0
tclass=udp_socket
Aug  3 09:38:03 saga kernel: audit(1154619483.940:1012): avc:  denied  {
name_bind } for  pid=3075 comm="smbd" src=636
scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0
tclass=udp_socket
Aug  3 09:38:07 saga kernel: audit(1154619487.175:1013): avc:  denied  {
name_bind } for  pid=3075 comm="smbd" src=873
scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:rsync_port_t:s0
tclass=udp_socket


Not sure if this affects smbd at all, though the ones around the name_connect
seem to have to do with NIS access.  I also see:

Aug  3 09:38:00 saga kernel: audit(1154619480.888:1008): avc:  denied  { read }
for  pid=3075 comm="smbd" name="yp.colorado-research.com.2" dev=dm-2 ino=15955
scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:var_yp_t:s0
tclass=file

which seems NIS related as well.  I'm running in permissive mode at the moment.

Version-Release number of selected component (if applicable):
selinux-policy-2.3.3-8.fc5
Comment 1 Daniel Walsh 2006-08-03 16:25:41 EDT
Do you have the allow_ypbind boolean turned on?

setsebool -P allow_ypbind=1

Comment 2 Orion Poplawski 2006-08-04 12:43:56 EDT
That did it.  My apologies.

Note You need to log in before you can comment on or make changes to this bug.