Simple AVC: type=AVC msg=audit(11/28/2012 16:57:32.369:23909) : avc: denied { name_bind } for pid=20304 comm=shellinaboxd src=4200 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket -Robin
Hmm. You know, I can't help but notice that shellinabox is running as initrc_t ; that seems not great. I have a complete shellinabox SELinux policy I made that gives it its own _exec_t, and its own transition policy, &c. Would y'all like me to attach it here? Or would that be a shellinabox package bug instead of an selinux bug? -Robin
I ask because audit2allow says that that AVC works out to: corenet_tcp_bind_generic_port(initrc_t) Which, *eww*. -Robin
Yes, it would be fine to have attached your policy. Also is tcp/4200 used by default by shellinabox?
I apologize in advance; I was quite new to selinux when I did this. It is almost certainly not minimal. It did, however, work well for me for a long time: http://fpaste.org/6WRZ/ WRT the port: /etc/sysconfig/shellinaboxd from the rpm has "PORT=4200", so yes.
This message is a reminder that Fedora 17 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 17. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '17'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 17's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 17 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 17's end of life. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Here's all the AVCs that occured in non-enforcing mode when I was using shellinabox without my module (with dontaudit off), stored in a URL that won't go away: https://gist.github.com/7b6267f10fffa2c9abfc Sorry, that has some exim and spamd stuff in it (although those look like real issues y'all might want to fix anyway). I suspect pretty strongly that we don't want to give init all those powers. I had a module that had a shellinabox_d type, but I suspect it's absolute crap. Let me know if you want it anyway.
This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle. Changing version to '23'. (As we did not run this process for some time, it could affect also pre-Fedora 23 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23
selinux-policy-3.13.1-141.fc23 has been submitted as an update for Fedora 23. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-141.fc23
Package selinux-policy-3.13.1-141.fc23: * should fix your issue, * was pushed to the Fedora 23 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-141.fc23' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-13450/selinux-policy-3.13.1-141.fc23 then log in and leave karma (feedback).
selinux-policy-3.13.1-141.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.