Bug 369371 - SELinux blocking xinetd 590X and 2000
Summary: SELinux blocking xinetd 590X and 2000
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 8
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: K12LTSP
TreeView+ depends on / blocked
 
Reported: 2007-11-07 04:38 UTC by Warren Togami
Modified: 2008-01-30 19:18 UTC (History)
0 users

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-01-30 19:18:38 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Warren Togami 2007-11-07 04:38:15 UTC 
type=AVC msg=audit(1194409964.031:84): avc:  denied  { name_bind } for 
pid=10771 comm="xinetd" src=5902 scontext=system_u:system_r:inetd_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1194409964.031:84): arch=c000003e syscall=49 success=no
exit=-13 a0=6 a1=7fff0ff84d50 a2=1c a3=7fff0ff84d4c items=0 ppid=1 pid=10771
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
comm="xinetd" exe="/usr/sbin/xinetd" subj=system_u:system_r:inetd_t:s0 key=(null)
type=AVC msg=audit(1194409964.031:85): avc:  denied  { name_bind } for 
pid=10771 comm="xinetd" src=5903 scontext=system_u:system_r:inetd_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

vnc-ltsp-config-4.0-3
This package specifies a few ports to be served by xinetd to allow VNC-based
XDMCP logins.  SELInux is blocking this.

type=AVC msg=audit(1194409964.031:83): avc:  denied  { name_bind } for 
pid=10771 comm="xinetd" src=2000 scontext=system_u:system_r:inetd_t:s0
tcontext=system_u:object_r:mail_port_t:s0 tclass=tcp_socket
nbd-server being served by xinetd is also blocked.  nbd-server is on TCP port 2000.

Why is SELinux blocking these ports?
What should we do?
Comment 1 Daniel Walsh 2007-11-07 15:33:48 UTC 
You can add the ports to xinetd by executing

# semanage port -a -t inetd_child_port_t -P tcp 5902
# semanage port -a -t inetd_child_port_t -P tcp 5903

You can add the other rule by executing 

# grep mail_port_t /var/log/audit/audit.log | audit2allow -M myxinetd
#semodule -i myxinetd.pp
Comment 2 Daniel Walsh 2007-11-07 15:35:40 UTC 
I will also put back the uncofined_domain for inetd in Fedora 8.
Comment 3 Warren Togami 2007-11-07 19:35:28 UTC 
> # semanage port -a -t inetd_child_port_t -P tcp 5902
> # semanage port -a -t inetd_child_port_t -P tcp 5903

> # grep mail_port_t /var/log/audit/audit.log | audit2allow -M myxinetd
> #semodule -i myxinetd.pp

I need both of these?

> I will also put back the uncofined_domain for inetd in Fedora 8.

What will the effect of this be?

> semanage port -a -t inetd_child_port_t -P tcp 5902

Is it proper to insert this (and matching removal) into the %post and %preun of
ltsp-vnc-config?
Comment 4 Daniel Walsh 2007-11-07 22:11:19 UTC 
No, I would just wait for the updated policy


Fixed in selinux-policy-targeted-3.0.8-47.fc8.noarch.rpm
Comment 5 Daniel Walsh 2007-11-07 22:24:17 UTC 
Should be 48 not 47
Comment 6 Daniel Walsh 2008-01-30 19:18:38 UTC 
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.
Note You need to log in before you can comment on or make changes to this bug.