Bug 565462 - SELinux is preventing /usr/sbin/winbindd from connecting to port 135.
Summary: SELinux is preventing /usr/sbin/winbindd from connecting to port 135.
Keywords:
Status: CLOSED DUPLICATE of bug 561037
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:9df2e45b659...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-02-15 11:50 UTC by Douglas Furlong
Modified: 2010-02-16 15:01 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2010-02-16 15:01:28 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Douglas Furlong 2010-02-15 11:50:53 UTC 
Summary:

SELinux is preventing /usr/sbin/winbindd from connecting to port 135.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux has denied winbindd from connecting to a network port 135 which does not
have an SELinux type associated with it. If winbindd should be allowed to
connect on 135, use the semanage command to assign 135 to a port type that
winbind_t can connect to (smbd_port_t, ldap_port_t, dns_port_t, kerberos_port_t,
ocsp_port_t).
If winbindd is not supposed to connect to 135, this could signal a intrusion
attempt.

Allowing Access:

If you want to allow winbindd to connect to 135, you can execute
semanage port -a -t PORT_TYPE -p tcp 135
where PORT_TYPE is one of the following: smbd_port_t, ldap_port_t, dns_port_t,
kerberos_port_t, ocsp_port_t.

Additional Information:

Source Context                unconfined_u:system_r:winbind_t:s0
Target Context                system_u:object_r:reserved_port_t:s0
Target Objects                None [ tcp_socket ]
Source                        winbindd
Source Path                   /usr/sbin/winbindd
Port                          135
Host                          (removed)
Source RPM Packages           samba-winbind-3.4.5-55.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-73.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   connect_ports
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.31.12-174.2.3.fc12.i686.PAE #1 SMP Mon Jan 18
                              20:06:44 UTC 2010 i686 i686
Alert Count                   1
First Seen                    Mon 01 Feb 2010 09:17:49 GMT
Last Seen                     Mon 01 Feb 2010 09:17:49 GMT
Local ID                      fed508ad-8deb-4222-a22b-9b83e70eb279
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1265015869.244:28187): avc:  denied  { name_connect } for  pid=3295 comm="winbindd" dest=135 scontext=unconfined_u:system_r:winbind_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket

node=(removed) type=SYSCALL msg=audit(1265015869.244:28187): arch=40000003 syscall=102 success=no exit=-115 a0=3 a1=bf8620a0 a2=c33ff4 a3=1bc05a0 items=0 ppid=3292 pid=3295 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="winbindd" exe="/usr/sbin/winbindd" subj=unconfined_u:system_r:winbind_t:s0 key=(null)



Hash String generated from  connect_ports,winbindd,winbind_t,reserved_port_t,tcp_socket,name_connect
audit2allow suggests:

#============= winbind_t ==============
#!!!! This avc can be allowed using the boolean 'allow_ypbind'

allow winbind_t reserved_port_t:tcp_socket name_connect;
Comment 1 Daniel Walsh 2010-02-16 15:01:28 UTC 

*** This bug has been marked as a duplicate of bug 561037 ***
Note You need to log in before you can comment on or make changes to this bug.