Bug 369371 - SELinux blocking xinetd 590X and 2000
SELinux blocking xinetd 590X and 2000
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks: K12LTSP
  Show dependency treegraph
 
Reported: 2007-11-06 23:38 EST by Warren Togami
Modified: 2008-01-30 14:18 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-30 14:18:38 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Warren Togami 2007-11-06 23:38:15 EST
type=AVC msg=audit(1194409964.031:84): avc:  denied  { name_bind } for 
pid=10771 comm="xinetd" src=5902 scontext=system_u:system_r:inetd_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1194409964.031:84): arch=c000003e syscall=49 success=no
exit=-13 a0=6 a1=7fff0ff84d50 a2=1c a3=7fff0ff84d4c items=0 ppid=1 pid=10771
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
comm="xinetd" exe="/usr/sbin/xinetd" subj=system_u:system_r:inetd_t:s0 key=(null)
type=AVC msg=audit(1194409964.031:85): avc:  denied  { name_bind } for 
pid=10771 comm="xinetd" src=5903 scontext=system_u:system_r:inetd_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

vnc-ltsp-config-4.0-3
This package specifies a few ports to be served by xinetd to allow VNC-based
XDMCP logins.  SELInux is blocking this.

type=AVC msg=audit(1194409964.031:83): avc:  denied  { name_bind } for 
pid=10771 comm="xinetd" src=2000 scontext=system_u:system_r:inetd_t:s0
tcontext=system_u:object_r:mail_port_t:s0 tclass=tcp_socket
nbd-server being served by xinetd is also blocked.  nbd-server is on TCP port 2000.

Why is SELinux blocking these ports?
What should we do?
Comment 1 Daniel Walsh 2007-11-07 10:33:48 EST
You can add the ports to xinetd by executing

# semanage port -a -t inetd_child_port_t -P tcp 5902
# semanage port -a -t inetd_child_port_t -P tcp 5903

You can add the other rule by executing 

# grep mail_port_t /var/log/audit/audit.log | audit2allow -M myxinetd
#semodule -i myxinetd.pp

Comment 2 Daniel Walsh 2007-11-07 10:35:40 EST
I will also put back the uncofined_domain for inetd in Fedora 8.
Comment 3 Warren Togami 2007-11-07 14:35:28 EST
> # semanage port -a -t inetd_child_port_t -P tcp 5902
> # semanage port -a -t inetd_child_port_t -P tcp 5903

> # grep mail_port_t /var/log/audit/audit.log | audit2allow -M myxinetd
> #semodule -i myxinetd.pp

I need both of these?

> I will also put back the uncofined_domain for inetd in Fedora 8.

What will the effect of this be?

> semanage port -a -t inetd_child_port_t -P tcp 5902

Is it proper to insert this (and matching removal) into the %post and %preun of
ltsp-vnc-config?
Comment 4 Daniel Walsh 2007-11-07 17:11:19 EST
No, I would just wait for the updated policy


Fixed in selinux-policy-targeted-3.0.8-47.fc8.noarch.rpm
Comment 5 Daniel Walsh 2007-11-07 17:24:17 EST
Should be 48 not 47
Comment 6 Daniel Walsh 2008-01-30 14:18:38 EST
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.

Note You need to log in before you can comment on or make changes to this bug.