F12/3: SELinux is preventing /usr/bin/perl from binding to port XXXXX

Dominick Grift domg472 at gmail.com
Wed Aug 18 08:43:52 UTC 2010 

On 08/18/2010 01:30 AM, Daniel B. Thurman wrote:
> 
> So how do I resolve this?
> 
> 
> node=(removed) type=AVC msg=audit(1282086325.907:81309): avc:  denied  {
> name_bind } for  pid=23536 comm="spamassassin" src=32726
> scontext=system_u:system_r:spamc_t:s0
> tcontext=system_u:object_r:port_t:s0 tclass=udp_socket

It kind of depends in my view. Here the spamassassin client app tries to
bind udp socket to port 32726.

Port udp:32726 is currently "unlabeled".

The question we have to ask first is: is this a random port that
spamassassin is binding udp sockets to? Or is it always the same port?

If  it is a random port, then i think we probably need to give the
spamassassin client access to bind udp sockets to generic ports.

Looking in the policy source, i see similar allowed for spamassassin_t:

<snip>
> 	corenet_udp_bind_generic_node(spamassassin_t)
> 	corenet_udp_bind_generic_port(spamassassin_t)
> 	corenet_sendrecv_generic_server_packets(spamassassin_t)
> 	corenet_dontaudit_udp_bind_all_ports(spamassassin_t)

So you could implement an identical solution for spamc_t like so:

mkdir ~/myspamc; cd ~/myspamc;

echo "policy_module(myspamc, 1.0.0)" > myspamc.te;
echo "gen_require(\`" >> myspamc.te;
echo "type spamc_t;" >> myspamc.te;
echo "')" >> myspamc.te;
echo "corenet_udp_bind_generic_node(spamc_t)" >> myspamc.te;
echo "corenet_udp_bind_generic_port(spamc_t)" >> myspamc.te;
echo "corenet_sendrecv_generic_server_packets(spamc_t)" >> myspamc.te;
echo "corenet_dontaudit_udp_bind_all_ports(spamc_t)" >> myspamc.te;

make -f /usr/share/selinux/devel/Makefile myspamc.pp
sudo semodule -i myspamc.pp

This will allow spamc_t (/usr/bin/spamassassin) to bind udp sockets to
ports with the generic port_t type.

It will silently deny spamc_t trying to bind udp sockets to all other
port types.

> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100818/d103c2ae/attachment.bin

More information about the selinux mailing list