Bug 614654 - SELinux is preventing the users from running TCP servers in the usedomain.
Summary: SELinux is preventing the users from running TCP servers in the usedomain.
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
(Show other bugs)
Version: rawhide
Hardware: x86_64 Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
Whiteboard: setroubleshoot_trace_hash:82772fd544c...
Depends On:
TreeView+ depends on / blocked
Reported: 2010-07-14 22:14 UTC by Carl G.
Modified: 2010-07-15 12:58 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-07-15 12:58:21 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Carl G. 2010-07-14 22:14:34 UTC

SELinux is preventing the users from running TCP servers in the usedomain.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux has denied the kopete program from binding to a network port 8010 which
does not have an SELinux type associated with it. kopete does not have an
SELinux policy defined for it when run by the user, so it runs in the users
domain. SELinux is currently setup to deny TCP servers to run within the user
domain. If you do not expect programs like kopete to bind to a network port,
then this could signal an intrusion attempt. If this system is running as an NIS
Client, turning on the allow_ypbind boolean may fix the problem. setsebool -P

Allowing Access:

If you want to allow user programs to run as TCP Servers, you can turn on the
user_tcp_server boolean, by executing: setsebool -P user_tcp_server=1

Fix Command:

setsebool -P user_tcp_server=1

Additional Information:

Source Context                staff_u:staff_r:staff_t:s0
Target Context                system_u:object_r:port_t:s0
Target Objects                None [ tcp_socket ]
Source                        kopete
Source Path                   /usr/bin/kopete
Port                          8010
Host                          (removed)
Source RPM Packages           kdenetwork-4.4.92-1.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.8.6-1.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   user_tcp_server
Host Name                     (removed)
Platform                      Linux (removed) 2.6.35-0.31.rc4.git4.fc14.x86_64
                              #1 SMP Fri Jul 9 01:20:58 UTC 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Wed 14 Jul 2010 06:06:50 PM EDT
Last Seen                     Wed 14 Jul 2010 06:06:50 PM EDT
Local ID                      66c9bf21-b695-4c38-b65d-15310a2a288a
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1279145210.243:65): avc:  denied  { name_bind } for  pid=2410 comm="kopete" src=8010 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

node=(removed) type=SYSCALL msg=audit(1279145210.243:65): arch=c000003e syscall=49 success=yes exit=0 a0=11 a1=7fff422178f0 a2=10 a3=1 items=0 ppid=1 pid=2410 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="kopete" exe="/usr/bin/kopete" subj=staff_u:staff_r:staff_t:s0 key=(null)

Daniel, can this AVC be "fixed" without having to enable the bool
allow_ypbind=1 ? Sorry, it's probably silly to ask.. I guess changing the label won't help, right?
Hash String generated from  user_tcp_server,kopete,staff_t,port_t,tcp_socket,name_bind
audit2allow suggests:

#============= staff_t ==============
#!!!! This avc can be allowed using one of the these booleans:
#     user_tcp_server, allow_ypbind

allow staff_t port_t:tcp_socket name_bind;

Comment 1 Daniel Walsh 2010-07-15 12:58:10 UTC
Turn on the user_tcp_server boolean

setsebool -P user_tcp_server 1

Note You need to log in before you can comment on or make changes to this bug.