List of avc for fedora 16

Dominick Grift dominick.grift at gmail.com
Sat Sep 24 09:45:55 UTC 2011 

On Fri, 2011-09-23 at 20:10 -0700, David Highley wrote:
> I checked bugzilla but did not see anything about this list of avc
> alerts for fedora 16. Should they be reported or is something miss
> configured?
> 
> 

sesebool-P allow_ypbind on

should fix it. if it does than this should not be reported

There is a way to check whether a specified AVC denial can be allowed,
for example your first avc denial:

> #============= accountsd_t ==============
> #!!!! This avc is allowed in the current policy
> 
> allow accountsd_t hi_reserved_port_t:tcp_socket name_bind;
> #!!!! This avc is allowed in the current policy

# sesearch -SCT --allow -s accountsd_t -t hi_reserved_port_t -c
tcp_socket -p name_bind

Found 1 semantic av rules:
DT allow nsswitch_domain rpc_port_type : tcp_socket name_bind ;
[ allow_ypbind ]

This tells me that this access can be allowed by toggling the
allow_ypbind boolean to enabled. The DT tells me that this boolean is
currently disabled.

> allow accountsd_t portmap_port_t:tcp_socket name_connect;
> #!!!! This avc is allowed in the current policy
> 
> allow accountsd_t var_yp_t:dir search;
> 
> #============= automount_t ==============
> #!!!! This avc is allowed in the current policy
> 
> allow automount_t var_yp_t:file read;
> 
> #============= policykit_t ==============
> #!!!! This avc is allowed in the current policy
> 
> allow policykit_t hi_reserved_port_t:tcp_socket name_bind;
> #!!!! This avc is allowed in the current policy
> 
> allow policykit_t kerberos_port_t:tcp_socket name_bind;
> #!!!! This avc is allowed in the current policy
> 
> allow policykit_t kprop_port_t:tcp_socket name_bind;
> #!!!! This avc is allowed in the current policy
> 
> allow policykit_t portmap_port_t:tcp_socket name_connect;
> #!!!! This avc is allowed in the current policy
> 
> allow policykit_t var_yp_t:dir search;
> 
> #============= sshd_t ==============
> #!!!! This avc is allowed in the current policy
> 
> allow sshd_t ftp_port_t:tcp_socket name_bind;
> #!!!! This avc is allowed in the current policy
> 
> allow sshd_t hi_reserved_port_t:tcp_socket name_bind;
> #!!!! This avc is allowed in the current policy
> 
> allow sshd_t hi_reserved_port_t:udp_socket name_bind;
> #!!!! This avc is allowed in the current policy
> 
> allow sshd_t spamd_port_t:tcp_socket name_bind;
> #!!!! This avc is allowed in the current policy
> 
> allow sshd_t var_yp_t:dir search;
> 
> #============= system_dbusd_t ==============
> #!!!! This avc is allowed in the current policy
> 
> allow system_dbusd_t hi_reserved_port_t:tcp_socket name_bind;
> #!!!! This avc is allowed in the current policy
> 
> allow system_dbusd_t portmap_port_t:tcp_socket name_connect;
> #!!!! This avc is allowed in the current policy
> 
> allow system_dbusd_t rndc_port_t:tcp_socket name_bind;
> 
> #============= xdm_dbusd_t ==============
> #!!!! This avc is allowed in the current policy
> 
> allow xdm_dbusd_t hi_reserved_port_t:tcp_socket name_bind;
> #!!!! This avc is allowed in the current policy
> 
> allow xdm_dbusd_t portmap_port_t:tcp_socket name_connect;
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20110924/998d8f56/attachment.bin

More information about the selinux mailing list