F12/3: SELinux is preventing /usr/bin/perl from binding to port XXXXX
Dominick Grift
domg472 at gmail.com
Wed Aug 18 08:43:52 UTC 2010
On 08/18/2010 01:30 AM, Daniel B. Thurman wrote:
>
> So how do I resolve this?
>
>
> node=(removed) type=AVC msg=audit(1282086325.907:81309): avc: denied {
> name_bind } for pid=23536 comm="spamassassin" src=32726
> scontext=system_u:system_r:spamc_t:s0
> tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
It kind of depends in my view. Here the spamassassin client app tries to
bind udp socket to port 32726.
Port udp:32726 is currently "unlabeled".
The question we have to ask first is: is this a random port that
spamassassin is binding udp sockets to? Or is it always the same port?
If it is a random port, then i think we probably need to give the
spamassassin client access to bind udp sockets to generic ports.
Looking in the policy source, i see similar allowed for spamassassin_t:
<snip>
> corenet_udp_bind_generic_node(spamassassin_t)
> corenet_udp_bind_generic_port(spamassassin_t)
> corenet_sendrecv_generic_server_packets(spamassassin_t)
> corenet_dontaudit_udp_bind_all_ports(spamassassin_t)
So you could implement an identical solution for spamc_t like so:
mkdir ~/myspamc; cd ~/myspamc;
echo "policy_module(myspamc, 1.0.0)" > myspamc.te;
echo "gen_require(\`" >> myspamc.te;
echo "type spamc_t;" >> myspamc.te;
echo "')" >> myspamc.te;
echo "corenet_udp_bind_generic_node(spamc_t)" >> myspamc.te;
echo "corenet_udp_bind_generic_port(spamc_t)" >> myspamc.te;
echo "corenet_sendrecv_generic_server_packets(spamc_t)" >> myspamc.te;
echo "corenet_dontaudit_udp_bind_all_ports(spamc_t)" >> myspamc.te;
make -f /usr/share/selinux/devel/Makefile myspamc.pp
sudo semodule -i myspamc.pp
This will allow spamc_t (/usr/bin/spamassassin) to bind udp sockets to
ports with the generic port_t type.
It will silently deny spamc_t trying to bind udp sockets to all other
port types.
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100818/d103c2ae/attachment.bin
More information about the selinux
mailing list