Bug 521406 - setroubleshoot: SELinux is preventing chronyd from binding to port 323.
Summary: setroubleshoot: SELinux is preventing chronyd from binding to port 323.
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:2911f1da200...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-09-05 14:42 UTC by Nicolas Mailhot
Modified: 2009-09-08 22:31 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-09-08 22:31:23 UTC


Attachments (Terms of Use)

Description Nicolas Mailhot 2009-09-05 14:42:39 UTC
The following was filed automatically by setroubleshoot:

Résumé:

SELinux is preventing chronyd from binding to port 323.

Description détaillée:

[chronyd has a permissive type (initrc_t). This access was not denied.]

SELinux has denied the chronyd from binding to a network port 323 which does not
have an SELinux type associated with it. If chronyd should be allowed to listen
on 323, use the semanage command to assign 323 to a port type that initrc_t can
bind to ().
If chronyd is not supposed to bind to 323, this could signal an intrusion
attempt.

Autoriser l'accès:

If you want to allow chronyd to bind to port 323, you can execute
# semanage port -a -t PORT_TYPE -p udp 323
where PORT_TYPE is one of the following: .
If this system is running as an NIS Client, turning on the allow_ypbind boolean
may fix the problem. setsebool -P allow_ypbind=1.

Informations complémentaires:

Contexte source               system_u:system_r:initrc_t:s0
Contexte cible                system_u:object_r:reserved_port_t:s0
Objets du contexte            None [ udp_socket ]
source                        chronyd
Chemin de la source           /usr/sbin/chronyd
Port                          323
Hôte                         (removed)
Paquetages RPM source         chrony-1.23-7.20081106gitbe42b4.fc12
Paquetages RPM cible          
Politique RPM                 selinux-policy-3.6.30-2.fc12
Selinux activé               True
Type de politique             targeted
MLS activé                   True
Mode strict                   Enforcing
Nom du plugin                 bind_ports
Nom de l'hôte                (removed)
Plateforme                    Linux (removed) 2.6.31-0.203.rc8.git2.fc12.x86_64
                              #1 SMP Fri Sep 4 21:33:05 EDT 2009 x86_64 x86_64
Compteur d'alertes            5
Première alerte              sam. 05 sept. 2009 16:01:58 CEST
Dernière alerte              sam. 05 sept. 2009 16:26:35 CEST
ID local                      3307b1e5-5865-4d39-a67e-af3dc9542b99
Numéros des lignes           

Messages d'audit bruts        

node=(removed) type=AVC msg=audit(1252160795.293:25): avc:  denied  { name_bind } for  pid=1543 comm="chronyd" src=323 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=udp_socket

node=(removed) type=SYSCALL msg=audit(1252160795.293:25): arch=c000003e syscall=49 success=yes exit=0 a0=2 a1=7fffe48ce630 a2=10 a3=7fffe48ce62c items=0 ppid=1 pid=1543 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chronyd" exe="/usr/sbin/chronyd" subj=system_u:system_r:initrc_t:s0 key=(null)


audit2allow suggests:

#============= initrc_t ==============
allow initrc_t reserved_port_t:udp_socket name_bind;

Comment 1 Daniel Walsh 2009-09-08 22:31:23 UTC
Fixed in selinux-policy-3.6.30-6.fc12.noarch


Note You need to log in before you can comment on or make changes to this bug.