Description of problem: When ident requests are allowed in TCP wrappers config (/etc/hosts.{allow,deny}), SELinux blocks the requests. I have seen it with sshd, but I suspect other users of libwrap can be affected as well. Version-Release number of selected component (if applicable): selinux-policy-3.9.7-29.fc14.noarch tcp_wrappers-libs-7.6-59.fc14.x86_64 openssh-server-5.5p1-24.fc14.2.x86_64 How reproducible: 100 % Steps to Reproduce: 1. Install F14, configure ssh server, enable it in iptables. 2. echo "sshd: ALL@ALL >> /etc/hosts.allow" 3. connect to the ssh server (telnet f14-host.mydomain 22) 4. tail /var/log/audit/audit.log | audit2allow Actual results: #============= sshd_t ============== #!!!! This avc can be allowed using one of the these booleans: # sshd_forward_ports, allow_ypbind allow sshd_t auth_port_t:tcp_socket name_connect; Expected results: No AVCs should be logged. Additional info: I don't think any of the booleans suggested by audit2allow apply (I don't want to allow port forwarding, and I don't run ypbind).
Dan, maybe we could add a new boolean for this tunable_policy(`allow_use_tcp_wrapper',` corenet_tcp_connect_auth_port(sshd_t) ') which could be used also for other domains.
How about adding to init.te tunable_policy(`daemon_use_tcp_wrapper',` corenet_tcp_connect_auth_port(daemon) ')
Good idea. Fixed in selinux-policy-3.9.7-31.fc14
Works for me, thanks!
selinux-policy-3.9.7-31.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-31.fc14
Jan, could you update the karma. Thank you.
selinux-policy-3.9.7-31.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-31.fc14
selinux-policy-3.9.7-31.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.