521406 – setroubleshoot: SELinux is preventing chronyd from binding to port 323.

Bug 521406 - setroubleshoot: SELinux is preventing chronyd from binding to port 323.

Summary: setroubleshoot: SELinux is preventing chronyd from binding to port 323.

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	setroubleshoot_trace_hash:2911f1da200...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-09-05 14:42 UTC by Nicolas Mailhot
Modified:	2009-09-08 22:31 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2009-09-08 22:31:23 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Nicolas Mailhot 2009-09-05 14:42:39 UTC

The following was filed automatically by setroubleshoot:

Résumé:

SELinux is preventing chronyd from binding to port 323.

Description détaillée:

[chronyd has a permissive type (initrc_t). This access was not denied.]

SELinux has denied the chronyd from binding to a network port 323 which does not
have an SELinux type associated with it. If chronyd should be allowed to listen
on 323, use the semanage command to assign 323 to a port type that initrc_t can
bind to ().
If chronyd is not supposed to bind to 323, this could signal an intrusion
attempt.

Autoriser l'accès:

If you want to allow chronyd to bind to port 323, you can execute
# semanage port -a -t PORT_TYPE -p udp 323
where PORT_TYPE is one of the following: .
If this system is running as an NIS Client, turning on the allow_ypbind boolean
may fix the problem. setsebool -P allow_ypbind=1.

Informations complémentaires:

Contexte source               system_u:system_r:initrc_t:s0
Contexte cible                system_u:object_r:reserved_port_t:s0
Objets du contexte            None [ udp_socket ]
source                        chronyd
Chemin de la source           /usr/sbin/chronyd
Port                          323
Hôte                         (removed)
Paquetages RPM source         chrony-1.23-7.20081106gitbe42b4.fc12
Paquetages RPM cible          
Politique RPM                 selinux-policy-3.6.30-2.fc12
Selinux activé               True
Type de politique             targeted
MLS activé                   True
Mode strict                   Enforcing
Nom du plugin                 bind_ports
Nom de l'hôte                (removed)
Plateforme                    Linux (removed) 2.6.31-0.203.rc8.git2.fc12.x86_64
                              #1 SMP Fri Sep 4 21:33:05 EDT 2009 x86_64 x86_64
Compteur d'alertes            5
Première alerte              sam. 05 sept. 2009 16:01:58 CEST
Dernière alerte              sam. 05 sept. 2009 16:26:35 CEST
ID local                      3307b1e5-5865-4d39-a67e-af3dc9542b99
Numéros des lignes           

Messages d'audit bruts        

node=(removed) type=AVC msg=audit(1252160795.293:25): avc:  denied  { name_bind } for  pid=1543 comm="chronyd" src=323 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=udp_socket

node=(removed) type=SYSCALL msg=audit(1252160795.293:25): arch=c000003e syscall=49 success=yes exit=0 a0=2 a1=7fffe48ce630 a2=10 a3=7fffe48ce62c items=0 ppid=1 pid=1543 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chronyd" exe="/usr/sbin/chronyd" subj=system_u:system_r:initrc_t:s0 key=(null)


audit2allow suggests:

#============= initrc_t ==============
allow initrc_t reserved_port_t:udp_socket name_bind;

Comment 1 Daniel Walsh 2009-09-08 22:31:23 UTC

Fixed in selinux-policy-3.6.30-6.fc12.noarch

Note You need to log in before you can comment on or make changes to this bug.