<div dir="ltr">OK, I typed you suggested and I got proper answer.<br><br>Thanks, Miroslav !!<br><br>Arigato!<br><br>[root@xxxx ~]# sesearch -A -s httpd_sys_script_t -p name_bind -C<br>Found 12 semantic av rules:<br>DT allow httpd_script_type port_t : tcp_socket { name_bind name_connect } ; [ httpd_enable_cgi nis_enabled && ]<br>DT allow httpd_script_type port_t : udp_socket name_bind ; [ httpd_enable_cgi nis_enabled && ]<br>DT allow nsswitch_domain port_t : tcp_socket { name_bind name_connect } ; [ nis_enabled ]<br>DT allow nsswitch_domain port_t : udp_socket name_bind ; [ nis_enabled ]<br>DT allow httpd_script_type ephemeral_port_t : tcp_socket { name_bind name_connect } ; [ httpd_enable_cgi nis_enabled && ]<br>DT allow httpd_script_type ephemeral_port_t : udp_socket name_bind ; [ httpd_enable_cgi nis_enabled && ]<br>DT allow httpd_script_type unreserved_port_t : tcp_socket { name_bind name_connect } ; [ httpd_enable_cgi nis_enabled && ]<br>DT allow httpd_script_type unreserved_port_t : udp_socket name_bind ; [ httpd_enable_cgi nis_enabled && ]<br>DT allow nsswitch_domain ephemeral_port_t : tcp_socket { name_bind name_connect } ; [ nis_enabled ]<br>DT allow nsswitch_domain ephemeral_port_t : udp_socket name_bind ; [ nis_enabled ]<br>DT allow nsswitch_domain unreserved_port_t : tcp_socket { name_bind name_connect } ; [ nis_enabled ]<br>DT allow nsswitch_domain unreserved_port_t : udp_socket name_bind ; [ nis_enabled ]<br><br></div><div class="gmail_extra"><br><div class="gmail_quote">2014-11-03 16:32 GMT+09:00 Miroslav Grepl <span dir="ltr"><<a href="mailto:mgrepl@redhat.com" target="_blank">mgrepl@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class="">
<div>On 11/01/2014 03:57 AM, Shintaro
Fujiwara wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>On my fedora20 box, I tried to check Bash Expoit as Dan
did on his latest blog post.<br>
<br>
</div>
What I got is,<br>
<br>
[root@xxxx ~]# sesearch -A -s httpd_sys_script_t -p
name_bind -C | grep -v ^D<br>
Found 12 semantic av rules:<br>
<br>
</div>
Though 12 rules caught by sesearch, but none displayed.<br>
</div>
</div>
</blockquote></span>
Yes, this is expected. It is allowed only by booleans.<span class=""><br>
<br>
$ sesearch -A -s httpd_sys_script_t -p name_bind -C<br>
</span><blockquote type="cite">
<div dir="ltr">
<div><br>
</div><div><div class="h5">
Next I typed,<br>
<br>
<br>
<div>
<div>
<div>[root@xxxx ~]# sesearch -A -s httpd_sys_script_t -p
name_connect -C | grep -v ^D<br>
Found 24 semantic av rules:<br>
allow nsswitch_domain dns_port_t : tcp_socket {
recv_msg send_msg name_connect } ; <br>
allow nsswitch_domain dnssec_port_t : tcp_socket
name_connect ; <br>
ET allow httpd_sys_script_t gds_db_port_t : tcp_socket
name_connect ; [ httpd_can_network_connect_db ]<br>
ET allow httpd_sys_script_t mysqld_port_t : tcp_socket {
recv_msg send_msg name_connect } ; [
httpd_can_network_connect_db ]<br>
ET allow nsswitch_domain ocsp_port_t : tcp_socket
name_connect ; [ kerberos_enabled ]<br>
ET allow httpd_sys_script_t postgresql_port_t : tcp_socket
{ recv_msg send_msg name_connect } ; [
httpd_can_network_connect_db ]<br>
ET allow httpd_sys_script_t oracle_port_t : tcp_socket
name_connect ; [ httpd_can_network_connect_db ]<br>
ET allow httpd_sys_script_t mssql_port_t : tcp_socket
name_connect ; [ httpd_can_network_connect_db ]<br>
ET allow nsswitch_domain kerberos_port_t : tcp_socket {
recv_msg send_msg name_connect } ; [ kerberos_enabled ]<br>
ET allow httpd_sys_script_t port_type : tcp_socket {
recv_msg send_msg name_connect } ; [ httpd_enable_cgi
httpd_can_network_connect && ]<br>
<br>
<div>This is ok.<br>
<br>
</div>
<div>What's wrong with name_bind thing?<br>
<br>
</div>
<div>I use <br>
setools-console
x86_64 3.3.7-41.fc20<br clear="all">
<br>
-- <br>
<div>
<div dir="ltr">
<div>日本にヘヴィメタル・ハードロックを根付かせるページ<br>
</div>
<div><a href="http://heavymetalhardrock.no-ip.info/" target="_blank">http://heavymetalhardrock.no-ip.info/</a><br>
</div>
<div><br>
世界中でセキュアOSのSELinuxを使いやすくするフリーソフト<br>
<a href="http://sourceforge.net/projects/segatex/" target="_blank">http://sourceforge.net/projects/segatex/</a><br>
</div>
<div><br>
CMS(PHPとPostgreSQLを使ったフリーソフト)<br>
</div>
<a href="http://sourceforge.net/projects/webon/" target="_blank">http://sourceforge.net/projects/webon/</a><br>
<a href="https://github.com/intrajp/irforum_jp" target="_blank">https://github.com/intrajp/irforum_jp</a><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div></div></div>
<br><span class="HOEnZb"><font color="#888888">
<fieldset></fieldset>
<br>
<pre>--
selinux mailing list
<a href="mailto:selinux@lists.fedoraproject.org" target="_blank">selinux@lists.fedoraproject.org</a>
<a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre>
</font></span></blockquote>
<br>
</div>
</blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr"><div>日本にヘヴィメタル・ハードロックを根付かせるページ<br></div><div><a href="http://heavymetalhardrock.no-ip.info/" target="_blank">http://heavymetalhardrock.no-ip.info/</a><br></div><div><br>世界中でセキュアOSのSELinuxを使いやすくするフリーソフト<br><a href="http://sourceforge.net/projects/segatex/" target="_blank">http://sourceforge.net/projects/segatex/</a><br></div><div><br>CMS(PHPとPostgreSQLを使ったフリーソフト)<br></div><a href="http://sourceforge.net/projects/webon/" target="_blank">http://sourceforge.net/projects/webon/</a><br><a href="https://github.com/intrajp/irforum_jp" target="_blank">https://github.com/intrajp/irforum_jp</a><br></div></div>
</div>