Bug 517527 - (staff_u) SELinux is preventing the users from running TCP servers in the usedomain.
Summary: (staff_u) SELinux is preventing the users from running TCP servers in the use...
Alias: None
Product: Fedora
Classification: Fedora
Component: pidgin
Version: 11
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Warren Togami
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2009-08-14 13:31 UTC by Matěj Cepl
Modified: 2018-04-11 07:08 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-10-26 14:39:05 UTC
Type: ---

Attachments (Terms of Use)

Description Matěj Cepl 2009-08-14 13:31:30 UTC
(this is F11 rebuild of F12 package of pidgin)
port 5298 is perfectly legitimate port to bind for Local-link XMPP Local LAN Messaging (http://xmpp.org/extensions/xep-0174.html).

bradford:~# grep 5298 /etc/services 
presence        5298/tcp                # XMPP Link-Local Messaging
presence        5298/udp                # XMPP Link-Local Messaging


SELinux is preventing the users from running TCP servers in the usedomain.

Podrobný popis:

SELinux has denied the pidgin program from binding to a network port 5298 which
does not have an SELinux type associated with it. pidgin does not have an
SELinux policy defined for it when run by the user, so it runs in the users
domain. SELinux is currently setup to deny TCP server to run within the user
domain. If you did not expect programs like pidgin to bind to a network port,
then this could signal a intrusion attempt. If this system is running as an NIS
Client, turning on the allow_ypbind boolean, may fix the problem. setsebool -P

Povolení přístupu:

If you want to allow user programs to run as TCP Servers, you can turn on the
user_tcp_server boolean, by executing: setsebool -P user_tcp_server=1

Příkaz pro opravu:

setsebool -P user_tcp_server=1

Další informace:

Kontext zdroje                staff_u:staff_r:staff_t:s0-s0:c0.c1023
Kontext cíle                 system_u:object_r:port_t:s0
Objekty cíle                 None [ tcp_socket ]
Zdroj                         pidgin
Cesta zdroje                  /usr/bin/pidgin
Port                          5298
Počítač                    bradford
RPM balíčky zdroje          pidgin-2.6.0-0.11.20090812.fc11
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.6.12-72.fc11
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     user_tcp_server
Název počítače            bradford
Platforma                     Linux bradford #1 SMP
                              Wed Jul 29 16:02:42 EDT 2009 x86_64 x86_64
Počet upozornění           1
Poprvé viděno               Pá 14. srpen 2009, 15:14:15 CEST
Naposledy viděno             Pá 14. srpen 2009, 15:14:15 CEST
Místní ID                   6af5fbba-7a7f-4ed6-9e66-e7472dcf192f
Čísla řádků              

Původní zprávy auditu      

node=bradford type=AVC msg=audit(1250255655.360:64): avc:  denied  { name_bind } for  pid=3122 comm="pidgin" src=5298 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

node=bradford type=SYSCALL msg=audit(1250255655.360:64): arch=c000003e syscall=49 success=no exit=-13 a0=11 a1=7ffffa2ae750 a2=10 a3=20 items=0 ppid=3121 pid=3122 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="pidgin" exe="/usr/bin/pidgin" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)

Comment 1 Warren Togami 2009-10-20 21:51:28 UTC
Why are you assigning this to me?  Please reassign to selinux-policy.

Is this still an issue now with latest rawhide?

Comment 2 Matěj Cepl 2009-10-23 16:55:14 UTC
Sorry, forgot to add Dan to CC list.

Comment 3 Daniel Walsh 2009-10-26 14:39:05 UTC
This is not a bug it is a configuration issue.  If you want to run services in user space you need to turn on the boolean.

Note You need to log in before you can comment on or make changes to this bug.