Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 369371 - SELinux blocking xinetd 590X and 2000
Summary: SELinux blocking xinetd 590X and 2000
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 8
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: K12LTSP
TreeView+ depends on / blocked
 
Reported: 2007-11-07 04:38 UTC by Warren Togami
Modified: 2008-01-30 19:18 UTC (History)
0 users

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-01-30 19:18:38 UTC


Attachments (Terms of Use)

Description Warren Togami 2007-11-07 04:38:15 UTC
type=AVC msg=audit(1194409964.031:84): avc:  denied  { name_bind } for 
pid=10771 comm="xinetd" src=5902 scontext=system_u:system_r:inetd_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1194409964.031:84): arch=c000003e syscall=49 success=no
exit=-13 a0=6 a1=7fff0ff84d50 a2=1c a3=7fff0ff84d4c items=0 ppid=1 pid=10771
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
comm="xinetd" exe="/usr/sbin/xinetd" subj=system_u:system_r:inetd_t:s0 key=(null)
type=AVC msg=audit(1194409964.031:85): avc:  denied  { name_bind } for 
pid=10771 comm="xinetd" src=5903 scontext=system_u:system_r:inetd_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

vnc-ltsp-config-4.0-3
This package specifies a few ports to be served by xinetd to allow VNC-based
XDMCP logins.  SELInux is blocking this.

type=AVC msg=audit(1194409964.031:83): avc:  denied  { name_bind } for 
pid=10771 comm="xinetd" src=2000 scontext=system_u:system_r:inetd_t:s0
tcontext=system_u:object_r:mail_port_t:s0 tclass=tcp_socket
nbd-server being served by xinetd is also blocked.  nbd-server is on TCP port 2000.

Why is SELinux blocking these ports?
What should we do?

Comment 1 Daniel Walsh 2007-11-07 15:33:48 UTC
You can add the ports to xinetd by executing

# semanage port -a -t inetd_child_port_t -P tcp 5902
# semanage port -a -t inetd_child_port_t -P tcp 5903

You can add the other rule by executing 

# grep mail_port_t /var/log/audit/audit.log | audit2allow -M myxinetd
#semodule -i myxinetd.pp



Comment 2 Daniel Walsh 2007-11-07 15:35:40 UTC
I will also put back the uncofined_domain for inetd in Fedora 8.

Comment 3 Warren Togami 2007-11-07 19:35:28 UTC
> # semanage port -a -t inetd_child_port_t -P tcp 5902
> # semanage port -a -t inetd_child_port_t -P tcp 5903

> # grep mail_port_t /var/log/audit/audit.log | audit2allow -M myxinetd
> #semodule -i myxinetd.pp

I need both of these?

> I will also put back the uncofined_domain for inetd in Fedora 8.

What will the effect of this be?

> semanage port -a -t inetd_child_port_t -P tcp 5902

Is it proper to insert this (and matching removal) into the %post and %preun of
ltsp-vnc-config?

Comment 4 Daniel Walsh 2007-11-07 22:11:19 UTC
No, I would just wait for the updated policy


Fixed in selinux-policy-targeted-3.0.8-47.fc8.noarch.rpm

Comment 5 Daniel Walsh 2007-11-07 22:24:17 UTC
Should be 48 not 47

Comment 6 Daniel Walsh 2008-01-30 19:18:38 UTC
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.


Note You need to log in before you can comment on or make changes to this bug.