I see this AVC from named process on Fedora Rawhide. rpm -q selinux-policy bind selinux-policy-3.6.8-3.fc11.noarch bind-9.6.0-11.P1.fc11.x86_64 node=vespa.frost.loc type=AVC msg=audit(1238742533.24:177): avc: denied { name_bind } for pid=2167 comm="named" src=4321 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:whois_port_t:s0 tclass=udp_socket node=vespa.frost.loc type=SYSCALL msg=audit(1238742533.24:177): arch=c000003e syscall=49 success=no exit=-13 a0=202 a1=7f05eecea5b0 a2=10 a3=7f05eecea3b4 items=0 ppid=1 pid=2167 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null) Bind should be allowed to listen on any udp socket >= 1024.
Reassigning to proper component. As written in original comment named should be allowed to bind(2) any unprivileged port.
The policy does exist to allow named to bind to all ports > 1024 except for those labels that include ports < 1024. So whois_port_t will is labeled as a port which is less then 1024 because some of it includes port 43. Adam if bind fails to bind to this port will it try again?
(In reply to comment #2) > The policy does exist to allow named to bind to all ports > 1024 except for > those labels that include ports < 1024. So whois_port_t will is labeled as a > port which is less then 1024 because some of it includes port 43. Adam if bind > fails to bind to this port will it try again? Yes. If if fails to bind(2) the port it tries it again (1024 times and after that it asks kernel for random port).
So it Trys port 4321 before moving on? I can add a dontaudit to remove the avc, if it will eventually work. There are probably less then 50 ports which can cause this problem.
If you don't audit that message everything will work fine. I don't know SELinux internals well but such change looks like a hack for me, not a patch ;)
Yes this is closer to a hack then a patch. The problem we have labeled ports 43 and 4321 as whois_port_t which is what the kernel/SELinux sees, But the code that compiles the policy adds attributes to all ports types including ports < 1024 as reserved_ports_type. All ports have attributes of port_type, The interface to allow a domain to bind to all unreserved ports has code that looks like allow named_t { ports_type -reserved_ports_type }:udp_socket name_bind; So in this case we do not allow named_t to bind to any ports that are labeled as a reserved_port_type, including rwhois. Fixed in selinux-policy-3.6.10-10