Bug 562179 - SELinux is preventing /usr/sbin/winbindd from connecting to port 1025.
Summary: SELinux is preventing /usr/sbin/winbindd from connecting to port 1025.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:e96ca427220...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-02-05 14:40 UTC by James Matelski
Modified: 2010-02-20 00:21 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.6.32-89.fc12
Clone Of:
Environment:
Last Closed: 2010-02-20 00:21:34 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description James Matelski 2010-02-05 14:40:54 UTC 
Summary:

SELinux is preventing /usr/sbin/winbindd from connecting to port 1025.

Detailed Description:

SELinux has denied winbindd from connecting to a network port 1025 which does
not have an SELinux type associated with it. If winbindd should be allowed to
connect on 1025, use the semanage command to assign 1025 to a port type that
winbind_t can connect to (smbd_port_t, ldap_port_t, dns_port_t, kerberos_port_t,
ocsp_port_t).
If winbindd is not supposed to connect to 1025, this could signal a intrusion
attempt.

Allowing Access:

If you want to allow winbindd to connect to 1025, you can execute
semanage port -a -t PORT_TYPE -p tcp 1025
where PORT_TYPE is one of the following: smbd_port_t, ldap_port_t, dns_port_t,
kerberos_port_t, ocsp_port_t.

Additional Information:

Source Context                system_u:system_r:winbind_t:s0
Target Context                system_u:object_r:port_t:s0
Target Objects                None [ tcp_socket ]
Source                        winbindd
Source Path                   /usr/sbin/winbindd
Port                          1025
Host                          (removed)
Source RPM Packages           samba-winbind-3.4.5-55.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-78.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   connect_ports
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.31.12-174.2.3.fc12.i686.PAE #1 SMP Mon Jan 18
                              20:06:44 UTC 2010 i686 i686
Alert Count                   2
First Seen                    Fri 05 Feb 2010 08:25:33 AM CST
Last Seen                     Fri 05 Feb 2010 08:25:37 AM CST
Local ID                      9df4ad40-b242-4a8c-bae2-a1e965a34608
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1265379937.25:27475): avc:  denied  { name_connect } for  pid=1224 comm="winbindd" dest=1025 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

node=(removed) type=SYSCALL msg=audit(1265379937.25:27475): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfc296e0 a2=7b0ff4 a3=1b6a108 items=0 ppid=1 pid=1224 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="winbindd" exe="/usr/sbin/winbindd" subj=system_u:system_r:winbind_t:s0 key=(null)



Hash String generated from  selinux-policy-3.6.32-78.fc12,connect_ports,winbindd,winbind_t,port_t,tcp_socket,name_connect
audit2allow suggests:

#============= winbind_t ==============
#!!!! This avc can be allowed using the boolean 'allow_ypbind'

allow winbind_t port_t:tcp_socket name_connect;
Comment 1 Daniel Walsh 2010-02-05 16:05:41 UTC 
Why is winbind tring to connect to port 1025?  This looks like local customization.

What is listening at port 1025?
Comment 2 James Matelski 2010-02-05 22:40:08 UTC 
No local customizations have been made.  Winbind is being used only to authenticate with a Windows 2003 Active Directory domain, which was configured using the standard Fedora 12 dialog boxes.  No direct editing was done to the smb.conf or system-auth files.  To my knowledge port 1025 should be used for anything as a listening port, which is rather unusual why the message started appearing.  It's been going on for about 3 weeks after the latest round of patches.
Comment 3 Daniel Walsh 2010-02-08 14:39:30 UTC 
Hey samba guys, any idea why winbind would be trying to connect to port 1025?
Comment 4 Simo Sorce 2010-02-08 16:02:50 UTC 
Dan, Winbind contacts the Domain Controller's End Point Mapper to set up an MS-RPC connection over TCP.
The EPM runs on port 135 and can return any port between the ranges 1025-5000 and 49152-65535.
1025 is quite common.

This document [1] describes all the ports Winbindd and smbd should be able to get access to. Please note also the Global Catalog(GC) ports (3268,3269).

Simo.

[1] http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx
Comment 5 Daniel Walsh 2010-02-08 21:25:44 UTC 
Miroslav add

corenet_tcp_connect_all_unreserved_ports(winbind_t)
Comment 6 Miroslav Grepl 2010-02-09 09:53:18 UTC 
Fixed in selinux-policy-3.6.32-86.fc12
Comment 7 Fedora Update System 2010-02-11 22:01:16 UTC 
selinux-policy-3.6.32-89.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-89.fc12
Comment 8 Fedora Update System 2010-02-13 00:40:22 UTC 
selinux-policy-3.6.32-89.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1836
Comment 9 Fedora Update System 2010-02-20 00:19:26 UTC 
selinux-policy-3.6.32-89.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.