Bug 470849 - SELinux is preventing the dnsmasq (dnsmasq_t) from binding to random ports
Summary: SELinux is preventing the dnsmasq (dnsmasq_t) from binding to random ports
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: libvirt
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Veillard
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: F10Blocker, F10FinalBlocker
TreeView+ depends on / blocked
 
Reported: 2008-11-10 16:29 UTC by Matěj Cepl
Modified: 2018-04-11 08:34 UTC (History)
7 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2008-11-10 20:24:51 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Matěj Cepl 2008-11-10 16:29:54 UTC 
This is one example, these are random ports dnsmasq is trying to attach when running RHEL4 in the kvm virtual machine (host is Rawhide).

Description of problem:
SELinux is preventing the dnsmasq (dnsmasq_t) from binding to port 16223.

Podrobný popis:

SELinux has denied the dnsmasq from binding to a network port 16223 which does
not have an SELinux type associated with it. If dnsmasq is supposed to be
allowed to listen on this port, you can use the semanage command to add this
port to a port type that dnsmasq_t can bind to. semanage port -l will list all
port types. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the selinux-policy
package. If dnsmasq is not supposed to bind to this port, this could signal a
intrusion attempt. If this system is running as an NIS Client, turning on the
allow_ypbind boolean, may fix the problem. setsebool -P allow_ypbind=1.

Povolení přístupu:

If you want to allow dnsmasq to bind to this port semanage port -a -t PORT_TYPE
-p PROTOCOL 16223 Where PORT_TYPE is a type that dnsmasq_t can bind and PROTOCOL
is udp or tcp.

Další informace:

Kontext zdroje                system_u:system_r:dnsmasq_t
Kontext cíle                 system_u:object_r:port_t
Objekty cíle                 None [ udp_socket ]
Zdroj                         dnsmasq
Cesta zdroje                  /usr/sbin/dnsmasq
Port                          16223
Počítač                    hubmaier.ceplovi.cz
RPM balíčky zdroje          dnsmasq-2.45-1.fc10
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.5.13-11.fc10
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     bind_ports
Název počítače            hubmaier.ceplovi.cz
Platforma                     Linux hubmaier.ceplovi.cz 2.6.27.4-79.fc10.x86_64
                              #1 SMP Tue Nov 4 21:23:33 EST 2008 x86_64 x86_64
Počet upozornění           37
Poprvé viděno               Po 10. listopad 2008, 15:35:44 CET
Naposledy viděno             Po 10. listopad 2008, 17:09:53 CET
Místní ID                   582988a1-946c-4ccd-bbf6-78a899cda8dc
Čísla řádků              

Původní zprávy auditu      

node=hubmaier.ceplovi.cz type=AVC msg=audit(1226333393.929:245): avc:  denied  { name_bind } for  pid=2554 comm="dnsmasq" src=16223 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket

node=hubmaier.ceplovi.cz type=SYSCALL msg=audit(1226333393.929:245): arch=c000003e syscall=49 success=no exit=-13 a0=b a1=7fff064cd8e0 a2=10 a3=1999999999999999 items=0 ppid=2513 pid=2554 auid=4294967295 uid=99 gid=40 euid=99 suid=99 fsuid=99 egid=40 sgid=40 fsgid=40 tty=(none) ses=4294967295 comm="dnsmasq" exe="/usr/sbin/dnsmasq" subj=system_u:system_r:dnsmasq_t:s0 key=(null)
Comment 1 John Poelstra 2008-11-10 18:33:11 UTC 
Not sure if this should be a blocker, but starting there.
Comment 2 Daniel Walsh 2008-11-10 18:58:23 UTC 
This is fixed in selinux-policy-3.5.13-18.fc10  which I have already requested be put in the final release.
Comment 3 Tom "spot" Callaway 2008-11-10 20:24:51 UTC 
selinux-policy-3.5.13-18.fc10 is tagged for f10-final.
Note You need to log in before you can comment on or make changes to this bug.