On Fri, Aug 14, 2020 at 9:40 AM <info(a)joomladev.eu> wrote:
On CentOS 8 I have some weird permission denying on samba:
------------------------------------------------------------------------------------
# audit(1597366122.204:23992513):
# scontext="system_u:system_r:smbd_t:s0"
tcontext="system_u:object_r:hi_reserved_port_t:s0"
# class="udp_socket" perms="name_bind"
# comm="smbd" exe="" path=""
# message="type=AVC msg=audit(1597366122.204:23992513): avc: denied {
# name_bind } for pid=2210721 comm="smbd" src=1009
# scontext=system_u:system_r:smbd_t:s0
# tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket
# permissive=1"
------------------------------------------------------------------------------------
Do I something wrong?
Hi Filip,
smbd is not allowed to bind to arbitrary udp ports, see:
# sesearch -A -s smbd_t -c udp_socket -p name_bind
allow nsswitch_domain ephemeral_port_t:udp_socket name_bind; [ nis_enabled
]:True
allow nsswitch_domain port_t:udp_socket name_bind; [ nis_enabled ]:True
allow nsswitch_domain unreserved_port_t:udp_socket name_bind; [ nis_enabled
]:True
So the question is: why smbd wants to bind to udp port 1009?
Thanks,
Filip Bartmann
_______________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
--
Zdenek Pytela
Security controls team, sst_platform_security