Description of problem: Xfs (the X font server, not the filesystem) can't be used over TCP because the SELinux policy blocks it from connecting to port 7100. Version-Release number of selected component (if applicable): selinux-policy-targeted-2.4.6-30.el5 How reproducible: aways Steps to Reproduce: 1. Comment out the line "nolisten tcp" in /etc/X11/fs/config 2. service xfs restart Actual results: avc: denied { name_bind } for comm="xfs" egid=43 euid=43 exe="/usr/bin/xfs" exit=-13 fsgid=43 fsuid=43 gid=43 items=0 pid=22881 scontext=user_u:system_r:xfs_t:s0 sgid=43 src=7100 subj=user_u:system_r:xfs_t:s0 suid=43 tclass=tcp_socket tcontext=system_u:object_r:port_t:s0 tty=(none) uid=43 Font server won't accept TCP connections. Expected results: NX client can connect to font server Additional info:
Fixed in selinux-policy-targeted-2.4.6-91.el5
avc: denied { name_bind } for comm="xfs" egid=43 euid=43 exe="/usr/bin/xfs" exit=-13 fsgid=43 fsuid=43 gid=43 items=0 pid=4387 scontext=system_u:system_r:xfs_t:s0 sgid=43 src=7100 subj=system_u:system_r:xfs_t:s0 suid=43 tclass=tcp_socket tcontext=system_u:object_r:port_t:s0 tty=(none) uid=43 This happens with 2.4.6-106.el5_1.3 I don't really understand why this happens because I can see code change between 2.4.6-30 and 2.4.6-106.3 having changed which imho should allow this. Maybe something is missing from patch? I can test proposed patch for this if somebody has suggestion for fix.
Command: /usr/sbin/semanage port -l | grep 7100 doesn't return anything while it should. list port 7100 as xfs_port_t.
semodule -B Are you sure the policy is loaded? Try to install the rpm again with a --force.
Problem was selinux-policy-targeted-2.4.6-76 which was previously on system. New base policy failed to load because there were incompatible changes between that old version and new. Fix was: cd /usr/share/selinux/targeted semodule -n -b base.pp shutdown -r now