Bug 379631 - xinetd : SElinux alert
Summary: xinetd : SElinux alert
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: xinetd
Version: 8
Hardware: i686
OS: Linux
low
low
Target Milestone: ---
Assignee: Jan Safranek
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-11-13 10:12 UTC by J.Jansen
Modified: 2007-11-30 22:12 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-11-15 14:02:07 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
/etc/xinetd.conf (1001 bytes, application/octet-stream)
2007-11-15 13:13 UTC, J.Jansen 		no flags Details
/etc/xinetd.d/* (2.24 KB, application/x-bzip)
2007-11-15 13:13 UTC, J.Jansen 		no flags Details
View All

Description J.Jansen 2007-11-13 10:12:59 UTC 
Description of problem:
When starting xinetd I got the following alert from SElinux:

SELinux denied access requested by xinetd. It is not expected that this access
is required by xinetd and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Source Context:  system_u:system_r:inetd_t:s0Target
Context:  system_u:object_r:hi_reserved_port_t:s0Target Objects:  None [
tcp_socket ]Affected RPM Packages:  Policy
RPM:  selinux-policy-3.0.8-47.fc8Selinux Enabled:  TruePolicy Type:  targetedMLS
Enabled:  TrueEnforcing Mode:  EnforcingPlugin Name:  plugins.catchallHost
Name:  tarantellaPlatform:  Linux tarantella 2.6.23.1-49.fc8 #1 SMP Thu Nov 8
21:41:26 EST 2007 i686 i686Alert Count:  1First Seen:  Tue 13 Nov 2007 11:05:16
AM CETLast Seen:  Tue 13 Nov 2007 11:05:16 AM CETLocal
ID:  4780cd3c-ab9a-4803-9d52-eee95a5ee613Line Numbers:  Raw Audit Messages :avc:
denied { name_bind } for comm=xinetd pid=4869
scontext=system_u:system_r:inetd_t:s0 src=904 tclass=tcp_socket
tcontext=system_u:object_r:hi_reserved_port_t:s0 

Version-Release number of selected component (if applicable):
xinetd-2.3.14-14.fc8

How reproducible:
I just installed F8, installed all the updates and than install xinetd
So I have no idea

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Jan Safranek 2007-11-15 11:13:58 UTC 
I am not able to reproduce the bug - I have fresh installation of F8, updated
and installed xinetd, but not SELinux alerts.

Could you please provide content of your /etc/xinetd.conf and /etc/xinetd.d/* ?

Thanks in advance
Comment 2 J.Jansen 2007-11-15 13:13:01 UTC 
Created attachment 259761 [details]
/etc/xinetd.conf
Comment 3 J.Jansen 2007-11-15 13:13:52 UTC 
Created attachment 259771 [details]
/etc/xinetd.d/*
Comment 4 J.Jansen 2007-11-15 13:16:51 UTC 
Created attachments for the requested files.

Note : I got the alert when the installation procedure of vmware stopped/started
xinetd. If I leave SELinux on I do not get a working version of vmware, probably
due to this SElinux alert against xinetd.
Comment 5 Jan Safranek 2007-11-15 14:01:54 UTC 
Vmware adds its own service to /etc/xinetd.d/, which causes xinetd to listen on
port 904. SElinux does not know about that and rejects xinetd to listen on that
port. This is how SElinux works - it allow applications to do only what's
*explicitly* allowed.

You can:
a) create your own custom rule, allowing xinetd to listen on port 904 (man
audit2allow)
b) disable SElinux
c) remove vmware :)
Note You need to log in before you can comment on or make changes to this bug.