List of avc for fedora 16
Dominick Grift
dominick.grift at gmail.com
Sat Sep 24 09:45:55 UTC 2011
On Fri, 2011-09-23 at 20:10 -0700, David Highley wrote:
> I checked bugzilla but did not see anything about this list of avc
> alerts for fedora 16. Should they be reported or is something miss
> configured?
>
>
sesebool-P allow_ypbind on
should fix it. if it does than this should not be reported
There is a way to check whether a specified AVC denial can be allowed,
for example your first avc denial:
> #============= accountsd_t ==============
> #!!!! This avc is allowed in the current policy
>
> allow accountsd_t hi_reserved_port_t:tcp_socket name_bind;
> #!!!! This avc is allowed in the current policy
# sesearch -SCT --allow -s accountsd_t -t hi_reserved_port_t -c
tcp_socket -p name_bind
Found 1 semantic av rules:
DT allow nsswitch_domain rpc_port_type : tcp_socket name_bind ;
[ allow_ypbind ]
This tells me that this access can be allowed by toggling the
allow_ypbind boolean to enabled. The DT tells me that this boolean is
currently disabled.
> allow accountsd_t portmap_port_t:tcp_socket name_connect;
> #!!!! This avc is allowed in the current policy
>
> allow accountsd_t var_yp_t:dir search;
>
> #============= automount_t ==============
> #!!!! This avc is allowed in the current policy
>
> allow automount_t var_yp_t:file read;
>
> #============= policykit_t ==============
> #!!!! This avc is allowed in the current policy
>
> allow policykit_t hi_reserved_port_t:tcp_socket name_bind;
> #!!!! This avc is allowed in the current policy
>
> allow policykit_t kerberos_port_t:tcp_socket name_bind;
> #!!!! This avc is allowed in the current policy
>
> allow policykit_t kprop_port_t:tcp_socket name_bind;
> #!!!! This avc is allowed in the current policy
>
> allow policykit_t portmap_port_t:tcp_socket name_connect;
> #!!!! This avc is allowed in the current policy
>
> allow policykit_t var_yp_t:dir search;
>
> #============= sshd_t ==============
> #!!!! This avc is allowed in the current policy
>
> allow sshd_t ftp_port_t:tcp_socket name_bind;
> #!!!! This avc is allowed in the current policy
>
> allow sshd_t hi_reserved_port_t:tcp_socket name_bind;
> #!!!! This avc is allowed in the current policy
>
> allow sshd_t hi_reserved_port_t:udp_socket name_bind;
> #!!!! This avc is allowed in the current policy
>
> allow sshd_t spamd_port_t:tcp_socket name_bind;
> #!!!! This avc is allowed in the current policy
>
> allow sshd_t var_yp_t:dir search;
>
> #============= system_dbusd_t ==============
> #!!!! This avc is allowed in the current policy
>
> allow system_dbusd_t hi_reserved_port_t:tcp_socket name_bind;
> #!!!! This avc is allowed in the current policy
>
> allow system_dbusd_t portmap_port_t:tcp_socket name_connect;
> #!!!! This avc is allowed in the current policy
>
> allow system_dbusd_t rndc_port_t:tcp_socket name_bind;
>
> #============= xdm_dbusd_t ==============
> #!!!! This avc is allowed in the current policy
>
> allow xdm_dbusd_t hi_reserved_port_t:tcp_socket name_bind;
> #!!!! This avc is allowed in the current policy
>
> allow xdm_dbusd_t portmap_port_t:tcp_socket name_connect;
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20110924/998d8f56/attachment.bin
More information about the selinux
mailing list