Red Hat Bugzilla – Bug 997142
SELinux is preventing /usr/libexec/accounts-daemon from using the 'net_bind_service' capabilities.
Last modified: 2013-09-13 22:30:31 EDT
Description of problem: logged in to kde-4.11.0 session is all SELinux is preventing /usr/libexec/accounts-daemon from using the 'net_bind_service' capabilities. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that accounts-daemon should have the net_bind_service capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep accounts-daemon /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:accountsd_t:s0 Target Context system_u:system_r:accountsd_t:s0 Target Objects [ capability ] Source accounts-daemon Source Path /usr/libexec/accounts-daemon Port <Unknown> Host (removed) Source RPM Packages accountsservice-0.6.34-1.fc19.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-69.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.10.5-201.fc19.x86_64 #1 SMP Wed Aug 7 16:25:24 UTC 2013 x86_64 x86_64 Alert Count 34 First Seen 2013-08-09 08:06:11 CDT Last Seen 2013-08-14 13:42:00 CDT Local ID 548f9011-9d05-435a-bd8a-a25b46465521 Raw Audit Messages type=AVC msg=audit(1376505720.840:1323): avc: denied { net_bind_service } for pid=417 comm="accounts-daemon" capability=10 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=capability type=SYSCALL msg=audit(1376505720.840:1323): arch=x86_64 syscall=bind success=yes exit=0 a0=b a1=7fff488866c0 a2=10 a3=0 items=0 ppid=1 pid=417 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=accounts-daemon exe=/usr/libexec/accounts-daemon subj=system_u:system_r:accountsd_t:s0 key=(null) Hash: accounts-daemon,accountsd_t,accountsd_t,capability,net_bind_service Additional info: reporter: libreport-2.1.6 hashmarkername: setroubleshoot kernel: 3.10.5-201.fc19.x86_64 type: libreport
Description of problem: Just logged in to kde session on f19 x86_64 box (with nfs $HOME, if that matters). Additional info: reporter: libreport-2.1.6 hashmarkername: setroubleshoot kernel: 3.10.5-201.fc19.x86_64 type: libreport
Any idea why accountsd would be binding to a port < 1024
honestly no, accountsservice is still largely a black box (with a neato dbus interface) to me. I'll try to ask around and find out though.
For what it's worth, it must be temporary (on startup?)... just checked with lsof, and it's currently not listening.
Description of problem: See bug 989516 Additional info: reporter: libreport-2.1.6 hashmarkername: setroubleshoot kernel: 3.10.10-200.fc19.x86_64 type: libreport
Are you running with NIS?
Yes, I am running with NIS.
(In reply to Daniel Walsh from comment #6) > Are you running with NIS? Yes, I'm also running NIS.
It looks like nis or glibc must have changed to allow priv apps to bind to ports < 1024 fairly recently. I added a dontaudit for this in git. a13733d1b028ec3ca4db41d3468b486113c7da5b, nis should continue to attempt to bind to random ports until it gets one > 1024.
*** Bug 1004737 has been marked as a duplicate of this bug. ***
Reassigning to ypbind package to see if they know anything.
Rex do you know about anything that might have changed to cause this?
(In reply to Daniel Walsh from comment #11) > Reassigning to ypbind package to see if they know anything. Well, we did nothing serious in NIS packages (ypserv, ypbind, yp-tools) that could influence SELinux access for couple of months. I also don't understand how did you come to ypbind to cause this problem, since I don't probably understand enough what's happening in accounts-daemon that could be related to NIS. Could anybody explain to me the connection of accounts-daemon and ypbind, please? What I noticed only are some NIS-related changes in selinux-policy, so maybe that could help: * Fri Sep 06 2013 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-74.2 - Dontaudit attempts to bind to ports < 1024 when nis is turned on * Thu Aug 08 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-70 - Make NFS home, NIS authentication and dbus-daemon working * Tue Mar 26 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-24 - Allow yppasswdd to use NIS * Wed Jan 23 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-6 - Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on * Wed Jan 16 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-5 - Dontaudit thumb drives trying to bind to udp sockets if nis_enabled is turned on
Ok I think we will just don't audit for now and see if there are other problems. Fixed in 3.12.1-74.2
OK. Changing the component as well so it corresponds with the actual fix made.
*** Bug 989516 has been marked as a duplicate of this bug. ***
selinux-policy-3.12.1-74.3.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.3.fc19
Package selinux-policy-3.12.1-74.3.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.3.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-16580/selinux-policy-3.12.1-74.3.fc19 then log in and leave karma (feedback).
selinux-policy-3.12.1-74.3.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.