List of avc for fedora 16

David Highley dhighley at highley-recommended.com
Mon Sep 26 02:38:37 UTC 2011 

"Dominick Grift wrote:"
> 
> 
> --=-QXDzVu1MWO4munhPKxie
> Content-Type: text/plain; charset="UTF-8"
> Content-Transfer-Encoding: quoted-printable
> 
> On Sun, 2011-09-25 at 20:20 +0200, Miroslav Grepl wrote:
> > On 09/25/2011 10:10 AM, Dominick Grift wrote:
> > > On Sat, 2011-09-24 at 19:45 -0700, David Highley wrote:
> > >> "Dominick Grift wrote:"
> > >>>
> > >>> --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D4683794954818469668=3D=
> =3D
> > >>> Content-Type: multipart/signed; micalg=3D"pgp-sha512";
> > >>> 	protocol=3D"application/pgp-signature"; boundary=3D"=3D-W/U2hq2saAQV=
> GsubU72y"
> > >>>
> > >>>
> > >>> --=3D-W/U2hq2saAQVGsubU72y
> > >>> Content-Type: text/plain; charset=3D"UTF-8"
> > >>> Content-Transfer-Encoding: quoted-printable
> > >>>
> > >>> On Fri, 2011-09-23 at 20:10 -0700, David Highley wrote:
> > >>>> I checked bugzilla but did not see anything about this list of avc
> > >>>> alerts for fedora 16. Should they be reported or is something miss
> > >>>> configured?
> > >>>> =3D20
> > >>>> =3D20
> > >>> setsebool-P allow_ypbind on

Submitted bug report 741141 on selinux bool getting turned off.

> > >> The bool gets turned off in the reboot process.
> > > Thats strange, is systemd turning it back off?
> > >
> > >> It solves almost all the
> > >> avc issues but a few remained which were solved with this policy file:
> > >> module mysystemd 1.0;
> > >>
> > >> require {
> > >>          type systemd_logind_t;
> > >>          type var_yp_t;
> > >>          type node_t;
> > >>          type hi_reserved_port_t;
> > >>          class udp_socket { name_bind bind create setopt node_bind };
> > >>          class file { read open };
> > >> }
> > >>
> > >> #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D systemd_logind_t =3D=3D=3D=3D=
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> > >> allow systemd_logind_t hi_reserved_port_t:udp_socket name_bind;
> > >> allow systemd_logind_t node_t:udp_socket node_bind;
> > >> allow systemd_logind_t self:udp_socket { bind create setopt };
> > >> allow systemd_logind_t var_yp_t:file { read open };
> > > This is likely a bug, Could you file a bugzilla for the above?
> > Yes, please, open a new bug. Thank you.

Submitted bug report 741143 for the above avc issue.

> 
> proposed fix:
> 
> diff --git policy/modules/system/systemd.te
> policy/modules/system/systemd.te
> index e50a989..d5e32c2 100644
> --- policy/modules/system/systemd.te
> +++ policy/modules/system/systemd.te
> @@ -130,6 +130,10 @@
>  ')
> =20
>  optional_policy(`
> +	nis_use_ypbind(systemd_logind_t)
> +')
> +
> +optional_policy(`
>  	# It links /run/user/$USER/X11/display to /tmp/.X11-unix/X* sock_file
>  	xserver_search_xdm_tmp_dirs(systemd_logind_t)
>  ')
> 
> >=20
> > Regards,
> > Miroslav
> > >
> > >> We also need to do a systemctl restart autofs.service after boot up. W=
> e
> > >> use NIS and auto mounted home directories.
> > >>
> > >>> should fix it. if it does than this should not be reported
> > >>>
> > >>> There is a way to check whether a specified AVC denial can be allowed=
> ,
> > >>> for example your first avc denial:
> > >>>
> > >>>> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D a=
> ccountsd_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
> > >>> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
> > >>>> #!!!! This avc is allowed in the current policy
> > >>>> =3D20
> > >>>> allow accountsd_t hi_reserved_port_t:tcp_socket name_bind;
> > >>>> #!!!! This avc is allowed in the current policy
> > >>> # sesearch -SCT --allow -s accountsd_t -t hi_reserved_port_t -c
> > >>> tcp_socket -p name_bind
> > >>>
> > >>> Found 1 semantic av rules:
> > >>> DT allow nsswitch_domain rpc_port_type : tcp_socket name_bind ;
> > >>> [ allow_ypbind ]
> > >>>
> > >>> This tells me that this access can be allowed by toggling the
> > >>> allow_ypbind boolean to enabled. The DT tells me that this boolean is
> > >>> currently disabled.
> > >>>
> > >>>> allow accountsd_t portmap_port_t:tcp_socket name_connect;
> > >>>> #!!!! This avc is allowed in the current policy
> > >>>> =3D20
> > >>>> allow accountsd_t var_yp_t:dir search;
> > >>>> =3D20
> > >>>> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D a=
> utomount_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
> > >>> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
> > >>>> #!!!! This avc is allowed in the current policy
> > >>>> =3D20
> > >>>> allow automount_t var_yp_t:file read;
> > >>>> =3D20
> > >>>> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D p=
> olicykit_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
> > >>> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
> > >>>> #!!!! This avc is allowed in the current policy
> > >>>> =3D20
> > >>>> allow policykit_t hi_reserved_port_t:tcp_socket name_bind;
> > >>>> #!!!! This avc is allowed in the current policy
> > >>>> =3D20
> > >>>> allow policykit_t kerberos_port_t:tcp_socket name_bind;
> > >>>> #!!!! This avc is allowed in the current policy
> > >>>> =3D20
> > >>>> allow policykit_t kprop_port_t:tcp_socket name_bind;
> > >>>> #!!!! This avc is allowed in the current policy
> > >>>> =3D20
> > >>>> allow policykit_t portmap_port_t:tcp_socket name_connect;
> > >>>> #!!!! This avc is allowed in the current policy
> > >>>> =3D20
> > >>>> allow policykit_t var_yp_t:dir search;
> > >>>> =3D20
> > >>>> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D s=
> shd_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
> > >>> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
> > >>>> #!!!! This avc is allowed in the current policy
> > >>>> =3D20
> > >>>> allow sshd_t ftp_port_t:tcp_socket name_bind;
> > >>>> #!!!! This avc is allowed in the current policy
> > >>>> =3D20
> > >>>> allow sshd_t hi_reserved_port_t:tcp_socket name_bind;
> > >>>> #!!!! This avc is allowed in the current policy
> > >>>> =3D20
> > >>>> allow sshd_t hi_reserved_port_t:udp_socket name_bind;
> > >>>> #!!!! This avc is allowed in the current policy
> > >>>> =3D20
> > >>>> allow sshd_t spamd_port_t:tcp_socket name_bind;
> > >>>> #!!!! This avc is allowed in the current policy
> > >>>> =3D20
> > >>>> allow sshd_t var_yp_t:dir search;
> > >>>> =3D20
> > >>>> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D s=
> ystem_dbusd_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D
> > >>> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
> > >>>> #!!!! This avc is allowed in the current policy
> > >>>> =3D20
> > >>>> allow system_dbusd_t hi_reserved_port_t:tcp_socket name_bind;
> > >>>> #!!!! This avc is allowed in the current policy
> > >>>> =3D20
> > >>>> allow system_dbusd_t portmap_port_t:tcp_socket name_connect;
> > >>>> #!!!! This avc is allowed in the current policy
> > >>>> =3D20
> > >>>> allow system_dbusd_t rndc_port_t:tcp_socket name_bind;
> > >>>> =3D20
> > >>>> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D x=
> dm_dbusd_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
> > >>> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
> > >>>> #!!!! This avc is allowed in the current policy
> > >>>> =3D20
> > >>>> allow xdm_dbusd_t hi_reserved_port_t:tcp_socket name_bind;
> > >>>> #!!!! This avc is allowed in the current policy
> > >>>> =3D20
> > >>>> allow xdm_dbusd_t portmap_port_t:tcp_socket name_connect;
> > >>>> --
> > >>>> selinux mailing list
> > >>>> selinux at lists.fedoraproject.org
> > >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> > >>>
> > >>> --=3D-W/U2hq2saAQVGsubU72y
> > >>> Content-Type: application/pgp-signature; name=3D"signature.asc"
> > >>> Content-Description: This is a digitally signed message part
> > >>> Content-Transfer-Encoding: 7bit
> > >>>
> > >>> -----BEGIN PGP SIGNATURE-----
> > >>> Version: GnuPG v1.4.11 (GNU/Linux)
> > >>>
> > >>> iQIcBAABCgAGBQJOfabTAAoJEBqhFeh0z2SRaEwQAIuB5ZFYNJqlBCsaE7HYaYuP
> > >>> pugsjSpzeQheJQC/i2Qa6BCLIKNiLmlkc3J5jBf4msvw3JTfLzgyWJCgo5gQBkLv
> > >>> y5JeRd81fgtEzhIIeS2Bg3J/HfXVcxmaAAvSXHvo4DQk7L+STT7ikCfsekPshOvP
> > >>> Y+8hOp/24IGm+wsteUMYGZy+JAHsDmSVGyGKMjo881cyCSclInwkoDTUDCv8vm+i
> > >>> 3qUs04ahfkfiBlpAH9a0SoVA9Tbnw5N1kbbvY3Up1qqvwtSXIMz2yfAB2uLQ9uBw
> > >>> NB0xzpYoBl6b3WLLBx/1DiZG0tmZbJ9q7bLGf22/5V1FArH2FpQ0MAPYxLtby/9x
> > >>> iOQiBdDKyAinz4EBMcGmB6B9M+YQROTtrMoTHm5J19J6e46vgt/vvfRcPJYna8DL
> > >>> gtHMQroB9Ky/yCHiG2nxsvoNDi7OUw5TX344px4hFDR2wESdrJ8wV9mIhjgwIsjB
> > >>> uQWJ4IIbYxJzJ578Le5dEWs9cfNqdEAPm24j9BPWo4VNyUL/ck3LRF/VdiW6rzF9
> > >>> fA66bPW2pqe15wpOtR831rO6PQN6Zdne6s+qRQYTu5IiRKINDi4HYe+dAzJzAuel
> > >>> avVkH84mznAy2wvoNYX5gvaeVBAE8ZqxMZOzF8cSnqCu+RZ+N/bj53XVN9Wsc9bU
> > >>> qFJjNtZOZfKswyZUYHSk
> > >>> =3D+k0S
> > >>> -----END PGP SIGNATURE-----
> > >>>
> > >>> --=3D-W/U2hq2saAQVGsubU72y--
> > >>>
> > >>>
> > >>> --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D4683794954818469668=3D=
> =3D
> > >>> Content-Type: text/plain; charset=3D"us-ascii"
> > >>> MIME-Version: 1.0
> > >>> Content-Transfer-Encoding: 7bit
> > >>> Content-Disposition: inline
> > >>>
> > >>> --
> > >>> selinux mailing list
> > >>> selinux at lists.fedoraproject.org
> > >>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> > >>> --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D4683794954818469668=3D=
> =3D--
> > >>>
> > >>
> > >
> > > --
> > > selinux mailing list
> > > selinux at lists.fedoraproject.org
> > > https://admin.fedoraproject.org/mailman/listinfo/selinux
> >=20
> 
> 
> --=-QXDzVu1MWO4munhPKxie
> Content-Type: application/pgp-signature; name="signature.asc"
> Content-Description: This is a digitally signed message part
> Content-Transfer-Encoding: 7bit
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> 
> iQIcBAABCgAGBQJOf3SHAAoJEBqhFeh0z2SR9lAP/Az14jMxonOPezVm3fQu8orZ
> 6cs79nIhdS+xSvzWnYBG/X3uhHy56LNbGhZEbDzrFLxPOYTLYDROA0CAnYLJCZe1
> fMt0pBjYARqj8e/jBFVDmJgJe7CJWhjJ8+QAC/iNPVGyBRYZliRBV03qfeVNbQIR
> n8Va/5W2Bw56xMyQ2w3QQgteccxgl3wddPyWwTC4rVfva9cXIQhM3PJnIDVXeQrY
> DvxhymeHbukkl2Jnk2nzLv10St20Gu/zg3CPgzodVGjUenUuF3P8AxB7yJ0/phfU
> Z20Bi3sGChENQs0cdEkZoIhRy8tVPlEuUgyyyePh+UNxLIZUkOf4EXnHEQ/WFNsv
> ZRkiKQLzWd79sDVwXMXU2kGzonyUbmAdXvhwZtSIYNj1aToNXFqKpHXRS0cuhR1+
> UVYp4/q/cSLqyrpPR85Ou6BDvE8gMIulglzSLYdjSxgvGVfd5XXBCojlRGGs2gbC
> mE6eWH5XfiJCYsTQeBaxV0vVo4li7kb4/TL2OM169X3dTeId43dcKEri0XMlLaEQ
> lzlPg5YN2FzKsZjfR4uggl8u3HjjBOXX/bAbuZkr8kAl4pn5JXLbK3TC6xs/q0Yd
> dTFIfSoLlip/b/gyjjpfqZKAQa0+QIMxuZg95urKH6ykxb3KqGCf4q3gMAP4uMwW
> T/EOLkcmEJLL552gPgma
> =yVbI
> -----END PGP SIGNATURE-----
> 
> --=-QXDzVu1MWO4munhPKxie--
> 


-- 

Regards,

David Highley
Highley Recommended, Inc.       Phone: (206) 669-0081
2927 SW 339th Street            WEB: http://www.highley-recommended.com
Federal Way, WA 98023-7732

More information about the selinux mailing list