I have just hit the same problem on RHEL5.5, selinux-policy-2.4.6-279.el5 +++ This bug was initially created as a clone of Bug #561037 +++ Description of problem: selinux error Summary: SELinux is preventing /usr/sbin/winbindd from connecting to port 135. Detailed Description: SELinux has denied winbindd from connecting to a network port 135 which does not have an SELinux type associated with it. If winbindd should be allowed to connect on 135, use the semanage command to assign 135 to a port type that winbind_t can connect to (smbd_port_t, ldap_port_t, dns_port_t, kerberos_port_t, ocsp_port_t). If winbindd is not supposed to connect to 135, this could signal a intrusion attempt. Allowing Access: If you want to allow winbindd to connect to 135, you can execute semanage port -a -t PORT_TYPE -p tcp 135 where PORT_TYPE is one of the following: smbd_port_t, ldap_port_t, dns_port_t, kerberos_port_t, ocsp_port_t. Additional Information: Source Context system_u:system_r:winbind_t:s0 Target Context system_u:object_r:reserved_port_t:s0 Target Objects None [ tcp_socket ] Source winbindd Source Path /usr/sbin/winbindd Port 135 Host (removed) Source RPM Packages samba-winbind-3.4.5-55.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-73.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name connect_ports Host Name (removed) Platform Linux (removed) 2.6.31.12-174.2.3.fc12.x86_64 #1 SMP Mon Jan 18 19:52:07 UTC 2010 x86_64 x86_64 Alert Count 3 First Seen Thu 28 Jan 2010 03:50:17 PM MST Last Seen Tue 02 Feb 2010 07:38:55 AM MST Local ID 8d08b986-0568-41a0-9b97-aa09549b499f Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1265121535.300:27254): avc: denied { name_connect } for pid=1610 comm="winbindd" dest=135 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket node=(removed) type=SYSCALL msg=audit(1265121535.300:27254): arch=c000003e syscall=42 success=no exit=-13 a0=15 a1=7fb8f6a8ddc0 a2=10 a3=68 items=0 ppid=1561 pid=1610 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="winbindd" exe="/usr/sbin/winbindd" subj=system_u:system_r:winbind_t:s0 key=(null) --- Additional comment from dwalsh on 2010-02-09 15:50:23 EST --- Simo, Any idea what winbind would connect to port 135? --- Additional comment from dwalsh on 2010-02-16 10:01:28 EST --- *** Bug 565462 has been marked as a duplicate of this bug. *** --- Additional comment from dwalsh on 2010-02-16 10:03:14 EST --- What is listening at port 135? --- Additional comment from dwalsh on 2010-02-16 10:09:03 EST --- http://www.grc.com/port_135.htm Looks like it is trying to connect to dcom port? Miroslav, I think we should add network_port(dcom, udp,135,s0, udp,135,s0) to corenetwork.te.in and corenet_tcp_connect_dcom_port(winbind_t) to samba.te --- Additional comment from ssorce on 2010-02-16 10:24:38 EST --- 135 is the RPC Endpoint Mapper (like the nfs portmap) --- Additional comment from dwalsh on 2010-02-16 10:39:29 EST --- Is calling it dcom appropriate or should I call it something like rpc_endpoint? --- Additional comment from ssorce on 2010-02-16 11:05:14 EST --- dcom looks not appropriate. EPM or EPMAP is what is used in the windows world to defined the service in short. So maybe rpc_epm or rpc_epmap ? --- Additional comment from dwalsh on 2010-02-16 11:16:37 EST --- Well it is called epmap in /etc/services so Miroslav make it network_port(epmap, udp,135,s0, tcp,135,s0) corenet_tcp_connect_epmap_port(winbind_t) --- Additional comment from mgrepl on 2010-02-16 11:20:49 EST --- I agree. Fixed in selinux-policy-3.6.32-91.fc12
I believe it's fixed now: # rpm -q selinux-policy selinux-policy-2.4.6-292.el5.noarch # sesearch -s winbind_t -t reserved_port_t -c tcp_socket -p name_connect --allow Found 1 av rules: allow winbind_t reserved_port_t : tcp_socket { name_bind name_connect };
Fixed in selinux-policy-2.4.6-293.el5.noarch
I have encountered (occasional) appearance of the bug 562179. In my case winbind was trying to access port 49156. Probably we should allow that rule also.
Fixed in selinux-policy-2.4.6-294.el5.noarch
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: With SELinux enabled, the winbindd service was unable to connect to the port 135. This error has been fixed, and relevant SELinux rules have been added to allow such connections.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0026.html