Bug 652199 - selinux prevents winbindd from connecting to port 135
Summary: selinux prevents winbindd from connecting to port 135
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.5
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Karel Srot
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-11-11 11:05 UTC by Karel Srot
Modified: 2015-02-19 10:21 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-2.4.6-294.el5
Doc Type: Bug Fix
Doc Text:
With SELinux enabled, the winbindd service was unable to connect to the port 135. This error has been fixed, and relevant SELinux rules have been added to allow such connections.
Clone Of:
Environment:
Last Closed: 2011-01-13 21:51:14 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0026 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-01-12 16:11:15 UTC

Description Karel Srot 2010-11-11 11:05:02 UTC 
I have just hit the same problem on RHEL5.5, 
selinux-policy-2.4.6-279.el5

+++ This bug was initially created as a clone of Bug #561037 +++

Description of problem:
selinux error


Summary:

SELinux is preventing /usr/sbin/winbindd from connecting to port 135.

Detailed Description:

SELinux has denied winbindd from connecting to a network port 135 which does not
have an SELinux type associated with it. If winbindd should be allowed to
connect on 135, use the semanage command to assign 135 to a port type that
winbind_t can connect to (smbd_port_t, ldap_port_t, dns_port_t, kerberos_port_t,
ocsp_port_t).
If winbindd is not supposed to connect to 135, this could signal a intrusion
attempt.

Allowing Access:

If you want to allow winbindd to connect to 135, you can execute
semanage port -a -t PORT_TYPE -p tcp 135
where PORT_TYPE is one of the following: smbd_port_t, ldap_port_t, dns_port_t,
kerberos_port_t, ocsp_port_t.

Additional Information:

Source Context                system_u:system_r:winbind_t:s0
Target Context                system_u:object_r:reserved_port_t:s0
Target Objects                None [ tcp_socket ]
Source                        winbindd
Source Path                   /usr/sbin/winbindd
Port                          135
Host                          (removed)
Source RPM Packages           samba-winbind-3.4.5-55.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-73.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   connect_ports
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.31.12-174.2.3.fc12.x86_64 #1 SMP Mon Jan 18
                              19:52:07 UTC 2010 x86_64 x86_64
Alert Count                   3
First Seen                    Thu 28 Jan 2010 03:50:17 PM MST
Last Seen                     Tue 02 Feb 2010 07:38:55 AM MST
Local ID                      8d08b986-0568-41a0-9b97-aa09549b499f
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1265121535.300:27254): avc:  denied  { name_connect } for  pid=1610 comm="winbindd" dest=135 scontext=system_u:system_r:winbind_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket

node=(removed) type=SYSCALL msg=audit(1265121535.300:27254): arch=c000003e syscall=42 success=no exit=-13 a0=15 a1=7fb8f6a8ddc0 a2=10 a3=68 items=0 ppid=1561 pid=1610 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="winbindd" exe="/usr/sbin/winbindd" subj=system_u:system_r:winbind_t:s0 key=(null)

--- Additional comment from dwalsh on 2010-02-09 15:50:23 EST ---

Simo, Any idea what winbind would connect to port 135?

--- Additional comment from dwalsh on 2010-02-16 10:01:28 EST ---

*** Bug 565462 has been marked as a duplicate of this bug. ***

--- Additional comment from dwalsh on 2010-02-16 10:03:14 EST ---

What is listening at port 135?

--- Additional comment from dwalsh on 2010-02-16 10:09:03 EST ---

http://www.grc.com/port_135.htm

Looks like it is trying to connect to dcom port?

Miroslav, 

I think we should add

network_port(dcom, udp,135,s0, udp,135,s0)

to corenetwork.te.in

and

corenet_tcp_connect_dcom_port(winbind_t)

to samba.te

--- Additional comment from ssorce on 2010-02-16 10:24:38 EST ---

135 is the RPC Endpoint Mapper (like the nfs portmap)

--- Additional comment from dwalsh on 2010-02-16 10:39:29 EST ---

Is calling it dcom appropriate or should I call it something like
rpc_endpoint?

--- Additional comment from ssorce on 2010-02-16 11:05:14 EST ---

dcom looks not appropriate.
EPM or EPMAP is what is used in the windows world to defined the service in short.
So maybe rpc_epm or rpc_epmap ?

--- Additional comment from dwalsh on 2010-02-16 11:16:37 EST ---

Well it is called epmap in /etc/services so

Miroslav make it


network_port(epmap, udp,135,s0, tcp,135,s0)

corenet_tcp_connect_epmap_port(winbind_t)

--- Additional comment from mgrepl on 2010-02-16 11:20:49 EST ---

I agree. 

Fixed in selinux-policy-3.6.32-91.fc12
Comment 2 Milos Malik 2010-11-11 12:55:44 UTC 
I believe it's fixed now:

# rpm -q selinux-policy
selinux-policy-2.4.6-292.el5.noarch
# sesearch -s winbind_t -t reserved_port_t -c tcp_socket -p name_connect --allow
Found 1 av rules:
   allow winbind_t reserved_port_t : tcp_socket { name_bind name_connect };
Comment 7 Miroslav Grepl 2010-11-16 14:46:19 UTC 
Fixed in selinux-policy-2.4.6-293.el5.noarch
Comment 10 Karel Srot 2010-11-19 12:09:25 UTC 
I have encountered (occasional) appearance of the bug 562179. In my case winbind was trying to access port 49156. Probably we should allow that rule also.
Comment 12 Miroslav Grepl 2010-11-23 16:32:45 UTC 
Fixed in selinux-policy-2.4.6-294.el5.noarch
Comment 14 Jaromir Hradilek 2011-01-05 16:27:02 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
With SELinux enabled, the winbindd service was unable to connect to the port 135. This error has been fixed, and relevant SELinux rules have been added to allow such connections.
Comment 16 errata-xmlrpc 2011-01-13 21:51:14 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html
Note You need to log in before you can comment on or make changes to this bug.