Bug 379631 - xinetd : SElinux alert
xinetd : SElinux alert
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: xinetd (Show other bugs)
8
i686 Linux
low Severity low
: ---
: ---
Assigned To: Jan Safranek
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-13 05:12 EST by J.Jansen
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-15 09:02:07 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
/etc/xinetd.conf (1001 bytes, application/octet-stream)
2007-11-15 08:13 EST, J.Jansen
no flags Details
/etc/xinetd.d/* (2.24 KB, application/x-bzip)
2007-11-15 08:13 EST, J.Jansen
no flags Details

  None (edit)
Description J.Jansen 2007-11-13 05:12:59 EST
Description of problem:
When starting xinetd I got the following alert from SElinux:

SELinux denied access requested by xinetd. It is not expected that this access
is required by xinetd and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Source Context:  system_u:system_r:inetd_t:s0Target
Context:  system_u:object_r:hi_reserved_port_t:s0Target Objects:  None [
tcp_socket ]Affected RPM Packages:  Policy
RPM:  selinux-policy-3.0.8-47.fc8Selinux Enabled:  TruePolicy Type:  targetedMLS
Enabled:  TrueEnforcing Mode:  EnforcingPlugin Name:  plugins.catchallHost
Name:  tarantellaPlatform:  Linux tarantella 2.6.23.1-49.fc8 #1 SMP Thu Nov 8
21:41:26 EST 2007 i686 i686Alert Count:  1First Seen:  Tue 13 Nov 2007 11:05:16
AM CETLast Seen:  Tue 13 Nov 2007 11:05:16 AM CETLocal
ID:  4780cd3c-ab9a-4803-9d52-eee95a5ee613Line Numbers:  Raw Audit Messages :avc:
denied { name_bind } for comm=xinetd pid=4869
scontext=system_u:system_r:inetd_t:s0 src=904 tclass=tcp_socket
tcontext=system_u:object_r:hi_reserved_port_t:s0 

Version-Release number of selected component (if applicable):
xinetd-2.3.14-14.fc8

How reproducible:
I just installed F8, installed all the updates and than install xinetd
So I have no idea

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Jan Safranek 2007-11-15 06:13:58 EST
I am not able to reproduce the bug - I have fresh installation of F8, updated
and installed xinetd, but not SELinux alerts.

Could you please provide content of your /etc/xinetd.conf and /etc/xinetd.d/* ?

Thanks in advance
Comment 2 J.Jansen 2007-11-15 08:13:01 EST
Created attachment 259761 [details]
/etc/xinetd.conf
Comment 3 J.Jansen 2007-11-15 08:13:52 EST
Created attachment 259771 [details]
/etc/xinetd.d/*
Comment 4 J.Jansen 2007-11-15 08:16:51 EST
Created attachments for the requested files.

Note : I got the alert when the installation procedure of vmware stopped/started
xinetd. If I leave SELinux on I do not get a working version of vmware, probably
due to this SElinux alert against xinetd.
Comment 5 Jan Safranek 2007-11-15 09:01:54 EST
Vmware adds its own service to /etc/xinetd.d/, which causes xinetd to listen on
port 904. SElinux does not know about that and rejects xinetd to listen on that
port. This is how SElinux works - it allow applications to do only what's
*explicitly* allowed.

You can:
a) create your own custom rule, allowing xinetd to listen on port 904 (man
audit2allow)
b) disable SElinux
c) remove vmware :)


Note You need to log in before you can comment on or make changes to this bug.