Summary: SELinux is preventing the users from running TCP servers in the usedomain. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux has denied the kopete program from binding to a network port 8010 which does not have an SELinux type associated with it. kopete does not have an SELinux policy defined for it when run by the user, so it runs in the users domain. SELinux is currently setup to deny TCP servers to run within the user domain. If you do not expect programs like kopete to bind to a network port, then this could signal an intrusion attempt. If this system is running as an NIS Client, turning on the allow_ypbind boolean may fix the problem. setsebool -P allow_ypbind=1. Allowing Access: If you want to allow user programs to run as TCP Servers, you can turn on the user_tcp_server boolean, by executing: setsebool -P user_tcp_server=1 Fix Command: setsebool -P user_tcp_server=1 Additional Information: Source Context staff_u:staff_r:staff_t:s0 Target Context system_u:object_r:port_t:s0 Target Objects None [ tcp_socket ] Source kopete Source Path /usr/bin/kopete Port 8010 Host (removed) Source RPM Packages kdenetwork-4.4.92-1.fc14 Target RPM Packages Policy RPM selinux-policy-3.8.6-1.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name user_tcp_server Host Name (removed) Platform Linux (removed) 2.6.35-0.31.rc4.git4.fc14.x86_64 #1 SMP Fri Jul 9 01:20:58 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Wed 14 Jul 2010 06:06:50 PM EDT Last Seen Wed 14 Jul 2010 06:06:50 PM EDT Local ID 66c9bf21-b695-4c38-b65d-15310a2a288a Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1279145210.243:65): avc: denied { name_bind } for pid=2410 comm="kopete" src=8010 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket node=(removed) type=SYSCALL msg=audit(1279145210.243:65): arch=c000003e syscall=49 success=yes exit=0 a0=11 a1=7fff422178f0 a2=10 a3=1 items=0 ppid=1 pid=2410 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="kopete" exe="/usr/bin/kopete" subj=staff_u:staff_r:staff_t:s0 key=(null) Daniel, can this AVC be "fixed" without having to enable the bool allow_ypbind=1 ? Sorry, it's probably silly to ask.. I guess changing the label won't help, right? Hash String generated from user_tcp_server,kopete,staff_t,port_t,tcp_socket,name_bind audit2allow suggests: #============= staff_t ============== #!!!! This avc can be allowed using one of the these booleans: # user_tcp_server, allow_ypbind allow staff_t port_t:tcp_socket name_bind;
Turn on the user_tcp_server boolean setsebool -P user_tcp_server 1