Description of problem: When you attempt to log in with telnet using xinetd and in.telnetd, you get an SELinux error. I believe the problem is that /bin/login has been moved to /usr/bin, and /bin is a softlink. To traverse a softlink in.telnetd needs lnk_file read permissions in the SELinux policy, or /bin/login in the in.telnetd source replaced with "/usr/bin/login" (probably the better solution and thus the reason for not raising this with SELinux). Version-Release number of selected component (if applicable): xinetd-2.3.15-1.fc17.x86_64 How reproducible: Every time Steps to Reproduce: 1. Install xinetd and telnet-server 2. Enable telnet server with appropriate firewall rules then telnet to the machine 3. Error appears in /var/log/messages Actual results: sealart reads: Additional Information: Source Context system_u:system_r:telnetd_t:s0-s0:c0.c1023 Target Context system_u:object_r:bin_t:s0 Target Objects bin [ lnk_file ] Source in.telnetd Source Path /usr/sbin/in.telnetd Port <Unknown> Host host-19-17.linuxzoo.net Source RPM Packages telnet-server-0.17-52.fc17.x86_64 Target RPM Packages filesystem-3-2.fc17.x86_64 Policy RPM selinux-policy-3.10.0-125.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name host-19-17.linuxzoo.net Platform Linux host-19-17.linuxzoo.net 3.3.4-5.fc17.x86_64 #1 SMP Mon May 7 17:29:34 UTC 2012 x86_64 x86_64 Alert Count 2 First Seen Wed 30 May 2012 04:41:43 PM BST Last Seen Wed 30 May 2012 04:42:56 PM BST Local ID 118784fb-1e34-45d6-adb8-9e7677121d55 Raw Audit Messages type=AVC msg=audit(1338392576.243:120): avc: denied { read } for pid=12398 comm="in.telnetd" name="bin" dev="sda2" ino=1155 scontext=system_u:system_r:telnetd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1338392576.243:120): arch=x86_64 syscall=execve success=no exit=EACCES a0=7f53fedef206 a1=7f53ff461f60 a2=7f53ff461dd0 a3=7fffec907b10 items=0 ppid=12397 pid=12398 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=4294967295 comm=in.telnetd exe=/usr/sbin/in.telnetd subj=system_u:system_r:telnetd_t:s0-s0:c0.c1023 key=(null) Hash: in.telnetd,telnetd_t,bin_t,lnk_file,read audit2allow #============= telnetd_t ============== allow telnetd_t bin_t:lnk_file read; audit2allow -R #============= telnetd_t ============== allow telnetd_t bin_t:lnk_file read; Expected results: No SELinux problems Additional info: Of course there could be other selinux issues beyond the first one!
I could not reproduce this. There is no selinux error in /var/log/messages and I can telnet (tried localhost) fine. My selinux-policy version is 3.10.0-128 though. Can you please update and try again?
I updated the selinux-policy to -128 and I have no more problems. It all seems to be working fine now. Thanks for investigating. Gordon.