-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 09/25/2011 10:38 PM, David Highley wrote:
"Dominick Grift wrote:"
--=-QXDzVu1MWO4munhPKxie Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Sun, 2011-09-25 at 20:20 +0200, Miroslav Grepl wrote:
On 09/25/2011 10:10 AM, Dominick Grift wrote:
On Sat, 2011-09-24 at 19:45 -0700, David Highley wrote:
"Dominick Grift wrote:"
--=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D4683794954818469668=3D=
=3D
Content-Type: multipart/signed; micalg=3D"pgp-sha512"; protocol=3D"application/pgp-signature"; boundary=3D"=3D-W/U2hq2saAQV=
GsubU72y"
--=3D-W/U2hq2saAQVGsubU72y Content-Type: text/plain; charset=3D"UTF-8" Content-Transfer-Encoding: quoted-printable
On Fri, 2011-09-23 at 20:10 -0700, David Highley wrote: > I checked bugzilla but did not see anything about this > list of avc alerts for fedora 16. Should they be > reported or is something miss configured? =3D20 =3D20 setsebool-P allow_ypbind on
Submitted bug report 741141 on selinux bool getting turned off.
The bool gets turned off in the reboot process.
Thats strange, is systemd turning it back off?
It solves almost all the avc issues but a few remained which were solved with this policy file: module mysystemd 1.0;
require { type systemd_logind_t; type var_yp_t; type node_t; type hi_reserved_port_t; class udp_socket { name_bind bind create setopt node_bind }; class file { read open }; }
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D systemd_logind_t =3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
allow systemd_logind_t hi_reserved_port_t:udp_socket name_bind; allow systemd_logind_t node_t:udp_socket node_bind; allow systemd_logind_t self:udp_socket { bind create setopt }; allow systemd_logind_t var_yp_t:file { read open };
This is likely a bug, Could you file a bugzilla for the above?
Yes, please, open a new bug. Thank you.
Submitted bug report 741143 for the above avc issue.
proposed fix:
diff --git policy/modules/system/systemd.te policy/modules/system/systemd.te index e50a989..d5e32c2 100644 --- policy/modules/system/systemd.te +++ policy/modules/system/systemd.te @@ -130,6 +130,10 @@ ') =20 optional_policy(` + nis_use_ypbind(systemd_logind_t) +') + +optional_policy(` # It links /run/user/$USER/X11/display to /tmp/.X11-unix/X* sock_file xserver_search_xdm_tmp_dirs(systemd_logind_t) ')
=20 Regards, Miroslav
We also need to do a systemctl restart autofs.service after boot up. W=
e
use NIS and auto mounted home directories.
should fix it. if it does than this should not be reported
There is a way to check whether a specified AVC denial can be allowed=
,
for example your first avc denial:
> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D > a=
ccountsd_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D > #!!!! This avc is allowed in the current policy =3D20 > allow accountsd_t hi_reserved_port_t:tcp_socket > name_bind; #!!!! This avc is allowed in the current > policy # sesearch -SCT --allow -s accountsd_t -t hi_reserved_port_t -c tcp_socket -p name_bind
Found 1 semantic av rules: DT allow nsswitch_domain rpc_port_type : tcp_socket name_bind ; [ allow_ypbind ]
This tells me that this access can be allowed by toggling the allow_ypbind boolean to enabled. The DT tells me that this boolean is currently disabled.
> allow accountsd_t portmap_port_t:tcp_socket > name_connect; #!!!! This avc is allowed in the current > policy =3D20 allow accountsd_t var_yp_t:dir search; > =3D20 > #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D > a=
utomount_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D > #!!!! This avc is allowed in the current policy =3D20 > allow automount_t var_yp_t:file read; =3D20 > #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D > p=
olicykit_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D > #!!!! This avc is allowed in the current policy =3D20 > allow policykit_t hi_reserved_port_t:tcp_socket > name_bind; #!!!! This avc is allowed in the current > policy =3D20 allow policykit_t > kerberos_port_t:tcp_socket name_bind; #!!!! This avc is > allowed in the current policy =3D20 allow policykit_t > kprop_port_t:tcp_socket name_bind; #!!!! This avc is > allowed in the current policy =3D20 allow policykit_t > portmap_port_t:tcp_socket name_connect; #!!!! This avc > is allowed in the current policy =3D20 allow > policykit_t var_yp_t:dir search; =3D20 > #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D > s=
shd_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D > #!!!! This avc is allowed in the current policy =3D20 > allow sshd_t ftp_port_t:tcp_socket name_bind; #!!!! > This avc is allowed in the current policy =3D20 allow > sshd_t hi_reserved_port_t:tcp_socket name_bind; #!!!! > This avc is allowed in the current policy =3D20 allow > sshd_t hi_reserved_port_t:udp_socket name_bind; #!!!! > This avc is allowed in the current policy =3D20 allow > sshd_t spamd_port_t:tcp_socket name_bind; #!!!! This > avc is allowed in the current policy =3D20 allow sshd_t > var_yp_t:dir search; =3D20 > #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D > s=
ystem_dbusd_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D > #!!!! This avc is allowed in the current policy =3D20 > allow system_dbusd_t hi_reserved_port_t:tcp_socket > name_bind; #!!!! This avc is allowed in the current > policy =3D20 allow system_dbusd_t > portmap_port_t:tcp_socket name_connect; #!!!! This avc > is allowed in the current policy =3D20 allow > system_dbusd_t rndc_port_t:tcp_socket name_bind; =3D20 > #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D > x=
dm_dbusd_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D > #!!!! This avc is allowed in the current policy =3D20 > allow xdm_dbusd_t hi_reserved_port_t:tcp_socket > name_bind; #!!!! This avc is allowed in the current > policy =3D20 allow xdm_dbusd_t > portmap_port_t:tcp_socket name_connect; -- selinux > mailing list selinux@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
- --=3D-W/U2hq2saAQVGsubU72y
Content-Type: application/pgp-signature; name=3D"signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAABCgAGBQJOfabTAAoJEBqhFeh0z2SRaEwQAIuB5ZFYNJqlBCsaE7HYaYuP
pugsjSpzeQheJQC/i2Qa6BCLIKNiLmlkc3J5jBf4msvw3JTfLzgyWJCgo5gQBkLv
y5JeRd81fgtEzhIIeS2Bg3J/HfXVcxmaAAvSXHvo4DQk7L+STT7ikCfsekPshOvP
Y+8hOp/24IGm+wsteUMYGZy+JAHsDmSVGyGKMjo881cyCSclInwkoDTUDCv8vm+i
3qUs04ahfkfiBlpAH9a0SoVA9Tbnw5N1kbbvY3Up1qqvwtSXIMz2yfAB2uLQ9uBw
NB0xzpYoBl6b3WLLBx/1DiZG0tmZbJ9q7bLGf22/5V1FArH2FpQ0MAPYxLtby/9x
iOQiBdDKyAinz4EBMcGmB6B9M+YQROTtrMoTHm5J19J6e46vgt/vvfRcPJYna8DL
gtHMQroB9Ky/yCHiG2nxsvoNDi7OUw5TX344px4hFDR2wESdrJ8wV9mIhjgwIsjB
uQWJ4IIbYxJzJ578Le5dEWs9cfNqdEAPm24j9BPWo4VNyUL/ck3LRF/VdiW6rzF9
fA66bPW2pqe15wpOtR831rO6PQN6Zdne6s+qRQYTu5IiRKINDi4HYe+dAzJzAuel
avVkH84mznAy2wvoNYX5gvaeVBAE8ZqxMZOzF8cSnqCu+RZ+N/bj53XVN9Wsc9bU
qFJjNtZOZfKswyZUYHSk
=3D+k0S -----END PGP SIGNATURE-----
--=3D-W/U2hq2saAQVGsubU72y--
--=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D4683794954818469668=3D=
=3D
Content-Type: text/plain; charset=3D"us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D4683794954818469668=3D=
=3D--
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
=20
--=-QXDzVu1MWO4munhPKxie Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAABCgAGBQJOf3SHAAoJEBqhFeh0z2SR9lAP/Az14jMxonOPezVm3fQu8orZ 6cs79nIhdS+xSvzWnYBG/X3uhHy56LNbGhZEbDzrFLxPOYTLYDROA0CAnYLJCZe1 fMt0pBjYARqj8e/jBFVDmJgJe7CJWhjJ8+QAC/iNPVGyBRYZliRBV03qfeVNbQIR n8Va/5W2Bw56xMyQ2w3QQgteccxgl3wddPyWwTC4rVfva9cXIQhM3PJnIDVXeQrY DvxhymeHbukkl2Jnk2nzLv10St20Gu/zg3CPgzodVGjUenUuF3P8AxB7yJ0/phfU Z20Bi3sGChENQs0cdEkZoIhRy8tVPlEuUgyyyePh+UNxLIZUkOf4EXnHEQ/WFNsv ZRkiKQLzWd79sDVwXMXU2kGzonyUbmAdXvhwZtSIYNj1aToNXFqKpHXRS0cuhR1+ UVYp4/q/cSLqyrpPR85Ou6BDvE8gMIulglzSLYdjSxgvGVfd5XXBCojlRGGs2gbC mE6eWH5XfiJCYsTQeBaxV0vVo4li7kb4/TL2OM169X3dTeId43dcKEri0XMlLaEQ lzlPg5YN2FzKsZjfR4uggl8u3HjjBOXX/bAbuZkr8kAl4pn5JXLbK3TC6xs/q0Yd dTFIfSoLlip/b/gyjjpfqZKAQa0+QIMxuZg95urKH6ykxb3KqGCf4q3gMAP4uMwW T/EOLkcmEJLL552gPgma =yVbI -----END PGP SIGNATURE-----
--=-QXDzVu1MWO4munhPKxie--
We should use auth_use_nsswitch(systemd_logind_t) I think.
Are you setting the allow_ypbind boolean permanently
setsebool -P allow_ypbind 1