-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ali Nebi wrote:
Hi,
i want to ask about some audit messages realted with amavisd.
I get this kind of messages:
Oct 16 16:35:21 hermod kernel: audit(1192545321.959:4): avc: denied
{ name_bind } for pid=15305 comm="amavisd" src=3551
scontext=system_u:system_r:amavis_t:s0 tcontext=system
_u:object_r:apcupsd_port_t:s0 tclass=udp_socket
Oct 17 06:41:11 hermod kernel: audit(1192596071.584:5): avc: denied
{ name_bind } for pid=1135 comm="amavisd" src=5353
scontext=system_u:system_r:amavis_t:s0 tcontext=system_
u:object_r:howl_port_t:s0 tclass=udp_socket
Oct 17 14:45:13 hermod kernel: audit(1192625113.850:6): avc: denied
{ name_bind } for pid=8183 comm="amavisd" src=7004
scontext=system_u:system_r:amavis_t:s0 tcontext=system_
u:object_r:afs_ka_port_t:s0 tclass=udp_socket
Oct 17 22:33:30 hermod kernel: audit(1192653210.933:7): avc: denied
{ name_bind } for pid=20082 comm="amavisd" src=7004
scontext=system_u:system_r:amavis_t:s0 tcontext=system
_u:object_r:afs_ka_port_t:s0 tclass=udp_socket
Oct 17 23:00:40 hermod kernel: audit(1192654840.481:8): avc: denied
{ name_bind } for pid=21759 comm="amavisd" src=7007
scontext=system_u:system_r:amavis_t:s0 tcontext=system
_u:object_r:afs_bos_port_t:s0 tclass=udp_socket
Oct 18 08:59:38 hermod kernel: audit(1192690778.529:9): avc: denied
{ name_bind } for pid=25286 comm="amavisd" src=5353
scontext=system_u:system_r:amavis_t:s0 tcontext=system
_u:object_r:howl_port_t:s0 tclass=udp_socket
Oct 18 09:32:09 hermod kernel: audit(1192692729.031:10): avc: denied
{ name_bind } for pid=28781 comm="amavisd" src=1194
scontext=system_u:system_r:amavis_t:s0 tcontext=syste
m_u:object_r:openvpn_port_t:s0 tclass=udp_socket
These are a part of them, i allowed some of these, but there are many of
these with different udp ports. What can i do to solve this problem,
because amavisd try every time with a different port and i can't allow
all of them?
Thank in advanced!
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list amavis_t is binding to
random ports > 1024 occasionaly it is hitting a
named port and getting a denial. At that point it goes off and gets
another port. When it gets a port that is not defined, it succeeds.
The policy needs a dontaudit rule to remove these avcs.
So the combination in policy is necessary.
corenet_udp_bind_generic_port(amavis_t)
corenet_dontaudit_udp_bind_all_ports(amavis_t)
This basically says amavis_t can bind to any udp port labeled port_t and
it it attempts to bind to a port that is labeled anything other then
port_t, dontaudit. This is will be fixed in selinux-policy-3.0.8.28
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org
iD8DBQFHGPnOrlYvE4MpobMRAvPyAJ0fs1IU8A5199OIb+jdCMDwC2gK8QCg0+WH
41MApzTqBRFXg+gc2xQuuRU=
=M/Wj
-----END PGP SIGNATURE-----