Summary: SELinux is preventing /usr/sbin/iceccd from binding to port 10245. Detailed Description: SELinux has denied the iceccd from binding to a network port 10245 which does not have an SELinux type associated with it. If iceccd should be allowed to listen on 10245, use the semanage command to assign 10245 to a port type that iceccd_t can bind to (iceccd_port_t). If iceccd is not supposed to bind to 10245, this could signal an intrusion attempt. Allowing Access: If you want to allow iceccd to bind to port 10245, you can execute # semanage port -a -t PORT_TYPE -p tcp 10245 where PORT_TYPE is one of the following: iceccd_port_t. If this system is running as an NIS Client, turning on the allow_ypbind boolean may fix the problem. setsebool -P allow_ypbind=1. Additional Information: Source Context unconfined_u:system_r:iceccd_t:s0 Target Context system_u:object_r:port_t:s0 Target Objects None [ tcp_socket ] Source iceccd Source Path /usr/sbin/iceccd Port 10245 Host (removed) Source RPM Packages icecream-0.9.4-5.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-108.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name bind_ports Host Name (removed) Platform Linux (removed) 2.6.32.10-90.fc12.x86_64 #1 SMP Tue Mar 23 09:47:08 UTC 2010 x86_64 x86_64 Alert Count 5 First Seen Sun 11 Apr 2010 03:32:59 PM CEST Last Seen Sun 11 Apr 2010 03:33:07 PM CEST Local ID a92542a0-bb88-4dfd-b8bd-fac0941d88dc Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1270992787.684:315): avc: denied { name_bind } for pid=6782 comm="iceccd" src=10245 scontext=unconfined_u:system_r:iceccd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket node=(removed) type=SYSCALL msg=audit(1270992787.684:315): arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7fff36f58550 a2=10 a3=8 items=0 ppid=1 pid=6782 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="iceccd" exe="/usr/sbin/iceccd" subj=unconfined_u:system_r:iceccd_t:s0 key=(null) Hash String generated from bind_ports,iceccd,iceccd_t,port_t,tcp_socket,name_bind audit2allow suggests: #============= iceccd_t ============== allow iceccd_t port_t:tcp_socket name_bind;
This happened after installing icecream and starting iceccd The rpm should really allow this by default.
I am reassigning it to icecream because icecream ships its policy in the package. Andi, what is your output of the following command: # semanage port -l | grep ice
icecream-0.9.4-5.fc12 calls this in its postinstall script: semanage port -a -t iceccd_port_t -p tcp 10245 Perhaps it failed for some reason. Could you run this by hand and see if there is an error?
You need to change your post a little. Requires(post): selinux-policy-base >= %{selinux_policyver} %if %{with selinux} for selinuxvariant in %{selinux_variants}; do if [ -d /etc/selinux/${selinuxvariant} ]; then semodule -s ${selinuxvariant} -i \ %{_datadir}/selinux/${selinuxvariant}/icecream.pp 2>/dev/null ||: semanage port -a -S ${selinuxvariant} -t iceccd_port_t -p tcp 10245 2>/dev/null ||: semanage port -a -S ${selinuxvariant} -t icecc_scheduler_port_t -p tcp 8766 2>/dev/null ||: fi done # fixfiles -R %{name} restore ||: # THIS ^^^ IS illegal, since this uses rpm within an rpm transaction. # A better solution is to save the the file context in the pre and run fixfiles restorecon -R %{_localstatedir}/cache/icecream 2>/dev/null ||: restorecon %{_localstatedir}/log/iceccd 2>/dev/null ||: #semanage port -a -t icecc_scheduler_port_t -p tcp 8765 2>/dev/null ||: #semanage port -a -t icecc_scheduler_port_t -p udp 8765 2>/dev/null ||: %endif . %{_sysconfdir}/selinux/config FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts if [ $? = 0 -a -f ${FILE_CONTEXT}.icecream ]; then fixfiles -C ${FILE_CONTEXT}.icecream restore rm -f ${FILE_CONTEXT}.icecream fi %pre if [ -s /etc/selinux/config ]; then . %{_sysconfdir}/selinux/config FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts if [ -f ${FILE_CONTEXT} ]; then [ -f ${FILE_CONTEXT}.icecream ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.icecream fi fi
Or hard code the paths into a restorecon line.
icecream-0.9.5-2.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/icecream-0.9.5-2.fc13
icecream-0.9.5-5.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/icecream-0.9.5-5.fc12
icecream-0.9.5-5.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update icecream'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/icecream-0.9.5-5.fc12
icecream-0.9.5-5.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
icecream-0.9.5-5.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.