On Fri, 2011-09-23 at 20:10 -0700, David Highley wrote:
I checked bugzilla but did not see anything about this list of avc alerts for fedora 16. Should they be reported or is something miss configured?
sesebool-P allow_ypbind on
should fix it. if it does than this should not be reported
There is a way to check whether a specified AVC denial can be allowed, for example your first avc denial:
#============= accountsd_t ============== #!!!! This avc is allowed in the current policy
allow accountsd_t hi_reserved_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy
# sesearch -SCT --allow -s accountsd_t -t hi_reserved_port_t -c tcp_socket -p name_bind
Found 1 semantic av rules: DT allow nsswitch_domain rpc_port_type : tcp_socket name_bind ; [ allow_ypbind ]
This tells me that this access can be allowed by toggling the allow_ypbind boolean to enabled. The DT tells me that this boolean is currently disabled.
allow accountsd_t portmap_port_t:tcp_socket name_connect; #!!!! This avc is allowed in the current policy
allow accountsd_t var_yp_t:dir search;
#============= automount_t ============== #!!!! This avc is allowed in the current policy
allow automount_t var_yp_t:file read;
#============= policykit_t ============== #!!!! This avc is allowed in the current policy
allow policykit_t hi_reserved_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy
allow policykit_t kerberos_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy
allow policykit_t kprop_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy
allow policykit_t portmap_port_t:tcp_socket name_connect; #!!!! This avc is allowed in the current policy
allow policykit_t var_yp_t:dir search;
#============= sshd_t ============== #!!!! This avc is allowed in the current policy
allow sshd_t ftp_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy
allow sshd_t hi_reserved_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy
allow sshd_t hi_reserved_port_t:udp_socket name_bind; #!!!! This avc is allowed in the current policy
allow sshd_t spamd_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy
allow sshd_t var_yp_t:dir search;
#============= system_dbusd_t ============== #!!!! This avc is allowed in the current policy
allow system_dbusd_t hi_reserved_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy
allow system_dbusd_t portmap_port_t:tcp_socket name_connect; #!!!! This avc is allowed in the current policy
allow system_dbusd_t rndc_port_t:tcp_socket name_bind;
#============= xdm_dbusd_t ============== #!!!! This avc is allowed in the current policy
allow xdm_dbusd_t hi_reserved_port_t:tcp_socket name_bind; #!!!! This avc is allowed in the current policy
allow xdm_dbusd_t portmap_port_t:tcp_socket name_connect;
selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux