Bug 445091 - (staff_u) SELinux is preventing the users from running TCP servers in the usedomain.
(staff_u) SELinux is preventing the users from running TCP servers in the use...
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-05-03 10:34 EDT by Matěj Cepl
Modified: 2008-05-06 17:08 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-06 17:08:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matěj Cepl 2008-05-03 10:34:40 EDT
Description of problem:

Souhrn:

SELinux is preventing the users from running TCP servers in the usedomain.

Podrobný popis:

[SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena
kvůli uvolněnému režimu.]

SELinux has denied the rhythmbox program from binding to a network port 3689
which does not have an SELinux type associated with it. rhythmbox does not have
an SELinux policy defined for it when run by the user, so it runs in the users
domain. SELinux is currently setup to deny TCP server to run within the user
domain. If you did not expect programs like rhythmbox to bind to a network port,
then this could signal a intrusion attempt. If this system is running as an NIS
Client, turning on the allow_ypbind boolean, may fix the problem. setsebool -P
allow_ypbind=1.

Povolení přístupu:

If you want to allow user programs to run as TCP Servers, you can turn on the
user_tcp_server boolean, by executing: setsebool -P user_tcp_server=1

Fix Command:

setsebool -P user_tcp_server=1

Další informace:

Kontext zdroje                staff_u:staff_r:staff_t:SystemLow-SystemHigh
Kontext cíle                 system_u:object_r:port_t
Objekty cíle                 None [ tcp_socket ]
Zdroj                         rhythmbox
Cesta zdroje                  /usr/bin/rhythmbox
Port                          3689
Počítač                    viklef
RPM balíčky zdroje          rhythmbox-0.11.5-9.fc9
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.3.1-42.fc9
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Permissive
Název zásuvného modulu     user_tcp_server
Název počítače            viklef
Platforma                     Linux viklef 2.6.25-14.fc9.i686 #1 SMP Thu May 1
                              06:28:41 EDT 2008 i686 i686
Počet uporoznění           1
Poprvé viděno               So 3. květen 2008, 16:28:55 CEST
Naposledy viděno             So 3. květen 2008, 16:28:55 CEST
Místní ID                   9112c82b-b475-4688-a629-e1620a5bd050
Čísla řádků              

Původní zprávy auditu      

host=viklef type=AVC msg=audit(1209824935.141:337): avc:  denied  { name_bind }
for  pid=9693 comm="rhythmbox" src=3689
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

host=viklef type=SYSCALL msg=audit(1209824935.141:337): arch=40000003
syscall=102 success=yes exit=0 a0=2 a1=bfdc4c60 a2=7c7f244 a3=8a792e0 items=0
ppid=9457 pid=9693 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
sgid=500 fsgid=500 tty=(none) ses=16 comm="rhythmbox" exe="/usr/bin/rhythmbox"
subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)

Additional info:
This is while running as staff_u, so I will rather file it against SELinux
policy, as it is being more likely broken than Rhythmbox.
Comment 1 Matěj Cepl 2008-05-03 10:50:29 EDT
Note also, that sealert suffers a little schizofrenia:

If this system is running as an NIS Client, turning on the allow_ypbind boolean,
may fix the problem. setsebool -P allow_ypbind=1.

v. 

If you want to allow user programs to run as TCP Servers, you can turn on the
user_tcp_server boolean, by executing: setsebool -P user_tcp_server=1
Comment 2 Daniel Walsh 2008-05-06 17:08:04 EDT
You are running a service as a confined user, so you need to set the boolean.

setroubleshoot tells you what to do.

setsebool -P user_tcp_server=1


Note You need to log in before you can comment on or make changes to this bug.