List of avc for fedora 16

David Highley dhighley at highley-recommended.com
Mon Sep 26 16:01:19 UTC 2011 

"Daniel J Walsh wrote:"
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 09/25/2011 10:38 PM, David Highley wrote:
> > "Dominick Grift wrote:"
> >> 
> >> 
> >> --=-QXDzVu1MWO4munhPKxie Content-Type: text/plain;
> >> charset="UTF-8" Content-Transfer-Encoding: quoted-printable
> >> 
> >> On Sun, 2011-09-25 at 20:20 +0200, Miroslav Grepl wrote:
> >>> On 09/25/2011 10:10 AM, Dominick Grift wrote:
> >>>> On Sat, 2011-09-24 at 19:45 -0700, David Highley wrote:
> >>>>> "Dominick Grift wrote:"
> >>>>>> 
> >>>>>> --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D4683794954818469668=3D=
> >>
> >>>>>> 
> =3D
> >>>>>> Content-Type: multipart/signed; micalg=3D"pgp-sha512"; 
> >>>>>> protocol=3D"application/pgp-signature";
> >>>>>> boundary=3D"=3D-W/U2hq2saAQV=
> >> GsubU72y"
> >>>>>> 
> >>>>>> 
> >>>>>> --=3D-W/U2hq2saAQVGsubU72y Content-Type: text/plain;
> >>>>>> charset=3D"UTF-8" Content-Transfer-Encoding:
> >>>>>> quoted-printable
> >>>>>> 
> >>>>>> On Fri, 2011-09-23 at 20:10 -0700, David Highley wrote:
> >>>>>>> I checked bugzilla but did not see anything about this
> >>>>>>> list of avc alerts for fedora 16. Should they be
> >>>>>>> reported or is something miss configured? =3D20 =3D20
> >>>>>> setsebool-P allow_ypbind on
> > 
> > Submitted bug report 741141 on selinux bool getting turned off.
> > 
> >>>>> The bool gets turned off in the reboot process.
> >>>> Thats strange, is systemd turning it back off?
> >>>> 
> >>>>> It solves almost all the avc issues but a few remained
> >>>>> which were solved with this policy file: module mysystemd
> >>>>> 1.0;
> >>>>> 
> >>>>> require { type systemd_logind_t; type var_yp_t; type
> >>>>> node_t; type hi_reserved_port_t; class udp_socket {
> >>>>> name_bind bind create setopt node_bind }; class file { read
> >>>>> open }; }
> >>>>> 
> >>>>> #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D systemd_logind_t
> >>>>> =3D=3D=3D=3D=
> >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> >>>>> allow systemd_logind_t hi_reserved_port_t:udp_socket
> >>>>> name_bind; allow systemd_logind_t node_t:udp_socket
> >>>>> node_bind; allow systemd_logind_t self:udp_socket { bind
> >>>>> create setopt }; allow systemd_logind_t var_yp_t:file {
> >>>>> read open };
> >>>> This is likely a bug, Could you file a bugzilla for the
> >>>> above?
> >>> Yes, please, open a new bug. Thank you.
> > 
> > Submitted bug report 741143 for the above avc issue.
> > 
> >> 
> >> proposed fix:
> >> 
> >> diff --git policy/modules/system/systemd.te 
> >> policy/modules/system/systemd.te index e50a989..d5e32c2 100644 
> >> --- policy/modules/system/systemd.te +++
> >> policy/modules/system/systemd.te @@ -130,6 +130,10 @@ ') =20 
> >> optional_policy(` +	nis_use_ypbind(systemd_logind_t) +') + 
> >> +optional_policy(` # It links /run/user/$USER/X11/display to
> >> /tmp/.X11-unix/X* sock_file 
> >> xserver_search_xdm_tmp_dirs(systemd_logind_t) ')
> >> 
> >>> =20 Regards, Miroslav
> >>>> 
> >>>>> We also need to do a systemctl restart autofs.service after
> >>>>> boot up. W=
> >> e
> >>>>> use NIS and auto mounted home directories.
> >>>>> 
> >>>>>> should fix it. if it does than this should not be
> >>>>>> reported
> >>>>>> 
> >>>>>> There is a way to check whether a specified AVC denial
> >>>>>> can be allowed=
> >> ,
> >>>>>> for example your first avc denial:
> >>>>>> 
> >>>>>>> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
> >>>>>>> a=
> >> ccountsd_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
> >>>>>> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
> >>>>>>> #!!!! This avc is allowed in the current policy =3D20 
> >>>>>>> allow accountsd_t hi_reserved_port_t:tcp_socket
> >>>>>>> name_bind; #!!!! This avc is allowed in the current
> >>>>>>> policy
> >>>>>> # sesearch -SCT --allow -s accountsd_t -t
> >>>>>> hi_reserved_port_t -c tcp_socket -p name_bind
> >>>>>> 
> >>>>>> Found 1 semantic av rules: DT allow nsswitch_domain
> >>>>>> rpc_port_type : tcp_socket name_bind ; [ allow_ypbind ]
> >>>>>> 
> >>>>>> This tells me that this access can be allowed by toggling
> >>>>>> the allow_ypbind boolean to enabled. The DT tells me that
> >>>>>> this boolean is currently disabled.
> >>>>>> 
> >>>>>>> allow accountsd_t portmap_port_t:tcp_socket
> >>>>>>> name_connect; #!!!! This avc is allowed in the current
> >>>>>>> policy =3D20 allow accountsd_t var_yp_t:dir search; 
> >>>>>>> =3D20 
> >>>>>>> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
> >>>>>>> a=
> >> utomount_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
> >>>>>> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
> >>>>>>> #!!!! This avc is allowed in the current policy =3D20 
> >>>>>>> allow automount_t var_yp_t:file read; =3D20 
> >>>>>>> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
> >>>>>>> p=
> >> olicykit_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
> >>>>>> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
> >>>>>>> #!!!! This avc is allowed in the current policy =3D20 
> >>>>>>> allow policykit_t hi_reserved_port_t:tcp_socket
> >>>>>>> name_bind; #!!!! This avc is allowed in the current
> >>>>>>> policy =3D20 allow policykit_t
> >>>>>>> kerberos_port_t:tcp_socket name_bind; #!!!! This avc is
> >>>>>>> allowed in the current policy =3D20 allow policykit_t
> >>>>>>> kprop_port_t:tcp_socket name_bind; #!!!! This avc is
> >>>>>>> allowed in the current policy =3D20 allow policykit_t
> >>>>>>> portmap_port_t:tcp_socket name_connect; #!!!! This avc
> >>>>>>> is allowed in the current policy =3D20 allow
> >>>>>>> policykit_t var_yp_t:dir search; =3D20 
> >>>>>>> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
> >>>>>>> s=
> >> shd_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
> >>>>>> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
> >>>>>>> #!!!! This avc is allowed in the current policy =3D20 
> >>>>>>> allow sshd_t ftp_port_t:tcp_socket name_bind; #!!!!
> >>>>>>> This avc is allowed in the current policy =3D20 allow
> >>>>>>> sshd_t hi_reserved_port_t:tcp_socket name_bind; #!!!!
> >>>>>>> This avc is allowed in the current policy =3D20 allow
> >>>>>>> sshd_t hi_reserved_port_t:udp_socket name_bind; #!!!!
> >>>>>>> This avc is allowed in the current policy =3D20 allow
> >>>>>>> sshd_t spamd_port_t:tcp_socket name_bind; #!!!! This
> >>>>>>> avc is allowed in the current policy =3D20 allow sshd_t
> >>>>>>> var_yp_t:dir search; =3D20 
> >>>>>>> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
> >>>>>>> s=
> >> ystem_dbusd_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D
> >>>>>> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
> >>>>>>> #!!!! This avc is allowed in the current policy =3D20 
> >>>>>>> allow system_dbusd_t hi_reserved_port_t:tcp_socket
> >>>>>>> name_bind; #!!!! This avc is allowed in the current
> >>>>>>> policy =3D20 allow system_dbusd_t
> >>>>>>> portmap_port_t:tcp_socket name_connect; #!!!! This avc
> >>>>>>> is allowed in the current policy =3D20 allow
> >>>>>>> system_dbusd_t rndc_port_t:tcp_socket name_bind; =3D20 
> >>>>>>> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
> >>>>>>> x=
> >> dm_dbusd_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
> >>>>>> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
> >>>>>>> #!!!! This avc is allowed in the current policy =3D20 
> >>>>>>> allow xdm_dbusd_t hi_reserved_port_t:tcp_socket
> >>>>>>> name_bind; #!!!! This avc is allowed in the current
> >>>>>>> policy =3D20 allow xdm_dbusd_t
> >>>>>>> portmap_port_t:tcp_socket name_connect; -- selinux
> >>>>>>> mailing list selinux at lists.fedoraproject.org 
> >>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>>>>>
> >>>>>>
> >>>>>>> 
> - --=3D-W/U2hq2saAQVGsubU72y
> >>>>>> Content-Type: application/pgp-signature;
> >>>>>> name=3D"signature.asc" Content-Description: This is a
> >>>>>> digitally signed message part Content-Transfer-Encoding:
> >>>>>> 7bit
> >>>>>> 
> >>>>>> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11
> >>>>>> (GNU/Linux)
> >>>>>> 
> >>>>>> iQIcBAABCgAGBQJOfabTAAoJEBqhFeh0z2SRaEwQAIuB5ZFYNJqlBCsaE7HYaYuP
> >>>>>>
> >>>>>> 
> pugsjSpzeQheJQC/i2Qa6BCLIKNiLmlkc3J5jBf4msvw3JTfLzgyWJCgo5gQBkLv
> >>>>>> y5JeRd81fgtEzhIIeS2Bg3J/HfXVcxmaAAvSXHvo4DQk7L+STT7ikCfsekPshOvP
> >>>>>>
> >>>>>> 
> Y+8hOp/24IGm+wsteUMYGZy+JAHsDmSVGyGKMjo881cyCSclInwkoDTUDCv8vm+i
> >>>>>> 3qUs04ahfkfiBlpAH9a0SoVA9Tbnw5N1kbbvY3Up1qqvwtSXIMz2yfAB2uLQ9uBw
> >>>>>>
> >>>>>> 
> NB0xzpYoBl6b3WLLBx/1DiZG0tmZbJ9q7bLGf22/5V1FArH2FpQ0MAPYxLtby/9x
> >>>>>> iOQiBdDKyAinz4EBMcGmB6B9M+YQROTtrMoTHm5J19J6e46vgt/vvfRcPJYna8DL
> >>>>>>
> >>>>>> 
> gtHMQroB9Ky/yCHiG2nxsvoNDi7OUw5TX344px4hFDR2wESdrJ8wV9mIhjgwIsjB
> >>>>>> uQWJ4IIbYxJzJ578Le5dEWs9cfNqdEAPm24j9BPWo4VNyUL/ck3LRF/VdiW6rzF9
> >>>>>>
> >>>>>> 
> fA66bPW2pqe15wpOtR831rO6PQN6Zdne6s+qRQYTu5IiRKINDi4HYe+dAzJzAuel
> >>>>>> avVkH84mznAy2wvoNYX5gvaeVBAE8ZqxMZOzF8cSnqCu+RZ+N/bj53XVN9Wsc9bU
> >>>>>>
> >>>>>> 
> qFJjNtZOZfKswyZUYHSk
> >>>>>> =3D+k0S -----END PGP SIGNATURE-----
> >>>>>> 
> >>>>>> --=3D-W/U2hq2saAQVGsubU72y--
> >>>>>> 
> >>>>>> 
> >>>>>> --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D4683794954818469668=3D=
> >>
> >>>>>> 
> =3D
> >>>>>> Content-Type: text/plain; charset=3D"us-ascii" 
> >>>>>> MIME-Version: 1.0 Content-Transfer-Encoding: 7bit 
> >>>>>> Content-Disposition: inline
> >>>>>> 
> >>>>>> -- selinux mailing list selinux at lists.fedoraproject.org 
> >>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux 
> >>>>>> --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D4683794954818469668=3D=
> >>
> >>>>>> 
> =3D--
> >>>>>> 
> >>>>> 
> >>>> 
> >>>> -- selinux mailing list selinux at lists.fedoraproject.org 
> >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>> =20
> >> 
> >> 
> >> --=-QXDzVu1MWO4munhPKxie Content-Type: application/pgp-signature;
> >> name="signature.asc" Content-Description: This is a digitally
> >> signed message part Content-Transfer-Encoding: 7bit
> >> 
> >> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
> >> 
> >> iQIcBAABCgAGBQJOf3SHAAoJEBqhFeh0z2SR9lAP/Az14jMxonOPezVm3fQu8orZ 
> >> 6cs79nIhdS+xSvzWnYBG/X3uhHy56LNbGhZEbDzrFLxPOYTLYDROA0CAnYLJCZe1 
> >> fMt0pBjYARqj8e/jBFVDmJgJe7CJWhjJ8+QAC/iNPVGyBRYZliRBV03qfeVNbQIR 
> >> n8Va/5W2Bw56xMyQ2w3QQgteccxgl3wddPyWwTC4rVfva9cXIQhM3PJnIDVXeQrY 
> >> DvxhymeHbukkl2Jnk2nzLv10St20Gu/zg3CPgzodVGjUenUuF3P8AxB7yJ0/phfU 
> >> Z20Bi3sGChENQs0cdEkZoIhRy8tVPlEuUgyyyePh+UNxLIZUkOf4EXnHEQ/WFNsv 
> >> ZRkiKQLzWd79sDVwXMXU2kGzonyUbmAdXvhwZtSIYNj1aToNXFqKpHXRS0cuhR1+ 
> >> UVYp4/q/cSLqyrpPR85Ou6BDvE8gMIulglzSLYdjSxgvGVfd5XXBCojlRGGs2gbC 
> >> mE6eWH5XfiJCYsTQeBaxV0vVo4li7kb4/TL2OM169X3dTeId43dcKEri0XMlLaEQ 
> >> lzlPg5YN2FzKsZjfR4uggl8u3HjjBOXX/bAbuZkr8kAl4pn5JXLbK3TC6xs/q0Yd 
> >> dTFIfSoLlip/b/gyjjpfqZKAQa0+QIMxuZg95urKH6ykxb3KqGCf4q3gMAP4uMwW 
> >> T/EOLkcmEJLL552gPgma =yVbI -----END PGP SIGNATURE-----
> >> 
> >> --=-QXDzVu1MWO4munhPKxie--
> >> 
> > 
> > 
> 
> 
> We should use auth_use_nsswitch(systemd_logind_t)  I think.
> 
> Are you setting the allow_ypbind boolean permanently
> 
> setsebool -P allow_ypbind 1

Yes, it is set but there seems to be an issue with ypbind.service
turning it off during a reboot. See bug 741141 which I also submitted.

> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAk6AfcwACgkQrlYvE4MpobOT1ACfVmiCMrnt1hxtUQCNDgB6CkfH
> FyMAn1/Ui1rbdA5aGjYfbpA3S/xuOnmJ
> =AOGA
> -----END PGP SIGNATURE-----
> 


-- 

Regards,

David Highley
Highley Recommended, Inc.       Phone: (206) 669-0081
2927 SW 339th Street            WEB: http://www.highley-recommended.com
Federal Way, WA 98023-7732

More information about the selinux mailing list