Description of problem: When starting xinetd I got the following alert from SElinux: SELinux denied access requested by xinetd. It is not expected that this access is required by xinetd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Source Context: system_u:system_r:inetd_t:s0Target Context: system_u:object_r:hi_reserved_port_t:s0Target Objects: None [ tcp_socket ]Affected RPM Packages: Policy RPM: selinux-policy-3.0.8-47.fc8Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: EnforcingPlugin Name: plugins.catchallHost Name: tarantellaPlatform: Linux tarantella 2.6.23.1-49.fc8 #1 SMP Thu Nov 8 21:41:26 EST 2007 i686 i686Alert Count: 1First Seen: Tue 13 Nov 2007 11:05:16 AM CETLast Seen: Tue 13 Nov 2007 11:05:16 AM CETLocal ID: 4780cd3c-ab9a-4803-9d52-eee95a5ee613Line Numbers: Raw Audit Messages :avc: denied { name_bind } for comm=xinetd pid=4869 scontext=system_u:system_r:inetd_t:s0 src=904 tclass=tcp_socket tcontext=system_u:object_r:hi_reserved_port_t:s0 Version-Release number of selected component (if applicable): xinetd-2.3.14-14.fc8 How reproducible: I just installed F8, installed all the updates and than install xinetd So I have no idea Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
I am not able to reproduce the bug - I have fresh installation of F8, updated and installed xinetd, but not SELinux alerts. Could you please provide content of your /etc/xinetd.conf and /etc/xinetd.d/* ? Thanks in advance
Created attachment 259761 [details] /etc/xinetd.conf
Created attachment 259771 [details] /etc/xinetd.d/*
Created attachments for the requested files. Note : I got the alert when the installation procedure of vmware stopped/started xinetd. If I leave SELinux on I do not get a working version of vmware, probably due to this SElinux alert against xinetd.
Vmware adds its own service to /etc/xinetd.d/, which causes xinetd to listen on port 904. SElinux does not know about that and rejects xinetd to listen on that port. This is how SElinux works - it allow applications to do only what's *explicitly* allowed. You can: a) create your own custom rule, allowing xinetd to listen on port 904 (man audit2allow) b) disable SElinux c) remove vmware :)