Bug 957023 - SELinux is preventing /usr/bin/svnserve from 'name_bind' accesses on the tcp_socket .
Summary: SELinux is preventing /usr/bin/svnserve from 'name_bind' accesses on the tcp_...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.5
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Michal Trunecka
URL:
Whiteboard: abrt_hash:c1a6efcf6925f0a7ee7fbabc667...
Depends On: 912506
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-04-26 08:06 UTC by Michal Trunecka
Modified: 2014-09-30 23:34 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.7.19-210.el6
Doc Type: Bug Fix
Doc Text:
Clone Of: 912506
Environment:
Last Closed: 2013-11-21 10:25:24 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1598 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-11-20 21:39:24 UTC

Description Michal Trunecka 2013-04-26 08:06:21 UTC
We believe this should be fixed in RHEL6 as well.

There is no svn_port_t type in current selinux policy.
selinux-policy-3.7.19-198.el6.noarch


+++ This bug was initially created as a clone of Bug #912506 +++

Description of problem:
The process 'svnserve' should be able to run in daemon mode. The process is set with the following options (in /etc/sysconfig/svnserve):

OPTIONS="-d -r /srv/svn"

However, when the system starts, 'selinux' denies svnserve from starting. Then as the system runs for a little while, 'svnserve' is allowed to start, but 'selinux' apparently sandboxes 'svnserve' from creating sockets that allow remote users to connect to it.


Additional info:
libreport version: 2.0.18
kernel:         3.7.3-101.fc17.x86_64

description:
:SELinux is preventing /usr/bin/svnserve from 'name_bind' accesses on the tcp_socket .
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that svnserve should be allowed name_bind access on the  tcp_socket by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep svnserve /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:svnserve_t:s0
:Target Context                system_u:object_r:svn_port_t:s0
:Target Objects                 [ tcp_socket ]
:Source                        svnserve
:Source Path                   /usr/bin/svnserve
:Port                          3690
:Host                          (removed)
:Source RPM Packages           subversion-1.7.7-1.fc17.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-167.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.7.3-101.fc17.x86_64 #1 SMP Fri
:                              Jan 18 17:40:57 UTC 2013 x86_64 x86_64
:Alert Count                   1
:First Seen                    2013-02-18 15:19:59 CST
:Last Seen                     2013-02-18 15:19:59 CST
:Local ID                      1f6634e4-f7e2-41a7-a222-b7943971bae3
:
:Raw Audit Messages
:type=AVC msg=audit(1361222399.928:30): avc:  denied  { name_bind } for  pid=695 comm="svnserve" src=3690 scontext=system_u:system_r:svnserve_t:s0 tcontext=system_u:object_r:svn_port_t:s0 tclass=tcp_socket
:
:
:type=AVC msg=audit(1361222399.928:30): avc:  denied  { node_bind } for  pid=695 comm="svnserve" src=3690 scontext=system_u:system_r:svnserve_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=tcp_socket
:
:
:type=SYSCALL msg=audit(1361222399.928:30): arch=x86_64 syscall=bind success=yes exit=0 a0=3 a1=7f6516800718 a2=10 a3=7fff7a3c71c0 items=0 ppid=1 pid=695 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=svnserve exe=/usr/bin/svnserve subj=system_u:system_r:svnserve_t:s0 key=(null)
:
:Hash: svnserve,svnserve_t,svn_port_t,tcp_socket,name_bind
:
:audit2allow
:
:#============= svnserve_t ==============
:allow svnserve_t node_t:tcp_socket node_bind;
:allow svnserve_t svn_port_t:tcp_socket name_bind;
:
:audit2allow -R
:
:#============= svnserve_t ==============
:allow svnserve_t node_t:tcp_socket node_bind;
:allow svnserve_t svn_port_t:tcp_socket name_bind;
:

--- Additional comment from Conrad K on 2013-02-18 15:35:19 EST ---

Created attachment 699123 [details]
File: type

--- Additional comment from Conrad K on 2013-02-18 15:35:21 EST ---

Created attachment 699124 [details]
File: hashmarkername

--- Additional comment from Miroslav Grepl on 2013-02-19 10:49:12 EST ---

commit a4a2ec617a8df9eb7aa64925b0f82f05a15c43e2
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Tue Feb 19 16:48:03 2013 +0100

    Fix svnserve policy

--- Additional comment from Fedora Update System on 2013-03-05 09:32:55 EST ---

selinux-policy-3.10.0-168.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-168.fc17

--- Additional comment from Fedora Update System on 2013-03-05 18:30:16 EST ---

Package selinux-policy-3.10.0-168.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-168.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-3466/selinux-policy-3.10.0-168.fc17
then log in and leave karma (feedback).

--- Additional comment from Fedora Update System on 2013-04-04 04:31:49 EDT ---

selinux-policy-3.10.0-169.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-169.fc17

Comment 1 Milos Malik 2013-04-26 11:38:38 UTC
# seinfo -tsvn_port_t -x
ERROR: could not find datum for type svn_port_t
# seinfo --portcon=3690
#

Comment 8 errata-xmlrpc 2013-11-21 10:25:24 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html


Note You need to log in before you can comment on or make changes to this bug.