Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   List of avc for fedora 16 (http://www.linux-archive.org/fedora-selinux-support/579454-list-avc-fedora-16-a.html)

David Highley 09-24-2011 03:10 AM
List of avc for fedora 16
 
I checked bugzilla but did not see anything about this list of avc
alerts for fedora 16. Should they be reported or is something miss
configured?


#============= accountsd_t ==============
#!!!! This avc is allowed in the current policy

allow accountsd_t hi_reserved_port_t:tcp_socket name_bind;
#!!!! This avc is allowed in the current policy

allow accountsd_t portmap_port_t:tcp_socket name_connect;
#!!!! This avc is allowed in the current policy

allow accountsd_t var_yp_t:dir search;

#============= automount_t ==============
#!!!! This avc is allowed in the current policy

allow automount_t var_yp_t:file read;

#============= policykit_t ==============
#!!!! This avc is allowed in the current policy

allow policykit_t hi_reserved_port_t:tcp_socket name_bind;
#!!!! This avc is allowed in the current policy

allow policykit_t kerberos_port_t:tcp_socket name_bind;
#!!!! This avc is allowed in the current policy

allow policykit_t kprop_port_t:tcp_socket name_bind;
#!!!! This avc is allowed in the current policy

allow policykit_t portmap_port_t:tcp_socket name_connect;
#!!!! This avc is allowed in the current policy

allow policykit_t var_yp_t:dir search;

#============= sshd_t ==============
#!!!! This avc is allowed in the current policy

allow sshd_t ftp_port_t:tcp_socket name_bind;
#!!!! This avc is allowed in the current policy

allow sshd_t hi_reserved_port_t:tcp_socket name_bind;
#!!!! This avc is allowed in the current policy

allow sshd_t hi_reserved_port_t:udp_socket name_bind;
#!!!! This avc is allowed in the current policy

allow sshd_t spamd_port_t:tcp_socket name_bind;
#!!!! This avc is allowed in the current policy

allow sshd_t var_yp_t:dir search;

#============= system_dbusd_t ==============
#!!!! This avc is allowed in the current policy

allow system_dbusd_t hi_reserved_port_t:tcp_socket name_bind;
#!!!! This avc is allowed in the current policy

allow system_dbusd_t portmap_port_t:tcp_socket name_connect;
#!!!! This avc is allowed in the current policy

allow system_dbusd_t rndc_port_t:tcp_socket name_bind;

#============= xdm_dbusd_t ==============
#!!!! This avc is allowed in the current policy

allow xdm_dbusd_t hi_reserved_port_t:tcp_socket name_bind;
#!!!! This avc is allowed in the current policy

allow xdm_dbusd_t portmap_port_t:tcp_socket name_connect;
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Dominick Grift 09-24-2011 09:45 AM
List of avc for fedora 16
 
On Fri, 2011-09-23 at 20:10 -0700, David Highley wrote:
> I checked bugzilla but did not see anything about this list of avc
> alerts for fedora 16. Should they be reported or is something miss
> configured?
>
>

sesebool-P allow_ypbind on

should fix it. if it does than this should not be reported

There is a way to check whether a specified AVC denial can be allowed,
for example your first avc denial:

> #============= accountsd_t ==============
> #!!!! This avc is allowed in the current policy
>
> allow accountsd_t hi_reserved_port_t:tcp_socket name_bind;
> #!!!! This avc is allowed in the current policy

# sesearch -SCT --allow -s accountsd_t -t hi_reserved_port_t -c
tcp_socket -p name_bind

Found 1 semantic av rules:
DT allow nsswitch_domain rpc_port_type : tcp_socket name_bind ;
[ allow_ypbind ]

This tells me that this access can be allowed by toggling the
allow_ypbind boolean to enabled. The DT tells me that this boolean is
currently disabled.

> allow accountsd_t portmap_port_t:tcp_socket name_connect;
> #!!!! This avc is allowed in the current policy
>
> allow accountsd_t var_yp_t:dir search;
>
> #============= automount_t ==============
> #!!!! This avc is allowed in the current policy
>
> allow automount_t var_yp_t:file read;
>
> #============= policykit_t ==============
> #!!!! This avc is allowed in the current policy
>
> allow policykit_t hi_reserved_port_t:tcp_socket name_bind;
> #!!!! This avc is allowed in the current policy
>
> allow policykit_t kerberos_port_t:tcp_socket name_bind;
> #!!!! This avc is allowed in the current policy
>
> allow policykit_t kprop_port_t:tcp_socket name_bind;
> #!!!! This avc is allowed in the current policy
>
> allow policykit_t portmap_port_t:tcp_socket name_connect;
> #!!!! This avc is allowed in the current policy
>
> allow policykit_t var_yp_t:dir search;
>
> #============= sshd_t ==============
> #!!!! This avc is allowed in the current policy
>
> allow sshd_t ftp_port_t:tcp_socket name_bind;
> #!!!! This avc is allowed in the current policy
>
> allow sshd_t hi_reserved_port_t:tcp_socket name_bind;
> #!!!! This avc is allowed in the current policy
>
> allow sshd_t hi_reserved_port_t:udp_socket name_bind;
> #!!!! This avc is allowed in the current policy
>
> allow sshd_t spamd_port_t:tcp_socket name_bind;
> #!!!! This avc is allowed in the current policy
>
> allow sshd_t var_yp_t:dir search;
>
> #============= system_dbusd_t ==============
> #!!!! This avc is allowed in the current policy
>
> allow system_dbusd_t hi_reserved_port_t:tcp_socket name_bind;
> #!!!! This avc is allowed in the current policy
>
> allow system_dbusd_t portmap_port_t:tcp_socket name_connect;
> #!!!! This avc is allowed in the current policy
>
> allow system_dbusd_t rndc_port_t:tcp_socket name_bind;
>
> #============= xdm_dbusd_t ==============
> #!!!! This avc is allowed in the current policy
>
> allow xdm_dbusd_t hi_reserved_port_t:tcp_socket name_bind;
> #!!!! This avc is allowed in the current policy
>
> allow xdm_dbusd_t portmap_port_t:tcp_socket name_connect;
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

David Highley 09-25-2011 02:45 AM
List of avc for fedora 16
 
"Dominick Grift wrote:"
>
>
> --===============4683794954818469668==
> Content-Type: multipart/signed; micalg="pgp-sha512";
> protocol="application/pgp-signature"; boundary="=-W/U2hq2saAQVGsubU72y"
>
>
> --=-W/U2hq2saAQVGsubU72y
> Content-Type: text/plain; charset="UTF-8"
> Content-Transfer-Encoding: quoted-printable
>
> On Fri, 2011-09-23 at 20:10 -0700, David Highley wrote:
> > I checked bugzilla but did not see anything about this list of avc
> > alerts for fedora 16. Should they be reported or is something miss
> > configured?
> >=20
> >=20
>
> sesebool-P allow_ypbind on

The bool gets turned off in the reboot process. It solves almost all the
avc issues but a few remained which were solved with this policy file:
module mysystemd 1.0;

require {
type systemd_logind_t;
type var_yp_t;
type node_t;
type hi_reserved_port_t;
class udp_socket { name_bind bind create setopt node_bind };
class file { read open };
}

#============= systemd_logind_t ==============
allow systemd_logind_t hi_reserved_port_t:udp_socket name_bind;
allow systemd_logind_t node_t:udp_socket node_bind;
allow systemd_logind_t self:udp_socket { bind create setopt };
allow systemd_logind_t var_yp_t:file { read open };

We also need to do a systemctl restart autofs.service after boot up. We
use NIS and auto mounted home directories.

>
> should fix it. if it does than this should not be reported
>
> There is a way to check whether a specified AVC denial can be allowed,
> for example your first avc denial:
>
> > #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D accountsd_t =3D=3D=3D=3D=3D=3D=
> =3D=3D=3D=3D=3D=3D=3D=3D
> > #!!!! This avc is allowed in the current policy
> >=20
> > allow accountsd_t hi_reserved_port_t:tcp_socket name_bind;
> > #!!!! This avc is allowed in the current policy
>
> # sesearch -SCT --allow -s accountsd_t -t hi_reserved_port_t -c
> tcp_socket -p name_bind
>
> Found 1 semantic av rules:
> DT allow nsswitch_domain rpc_port_type : tcp_socket name_bind ;
> [ allow_ypbind ]
>
> This tells me that this access can be allowed by toggling the
> allow_ypbind boolean to enabled. The DT tells me that this boolean is
> currently disabled.
>
> > allow accountsd_t portmap_port_t:tcp_socket name_connect;
> > #!!!! This avc is allowed in the current policy
> >=20
> > allow accountsd_t var_yp_t:dir search;
> >=20
> > #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D automount_t =3D=3D=3D=3D=3D=3D=
> =3D=3D=3D=3D=3D=3D=3D=3D
> > #!!!! This avc is allowed in the current policy
> >=20
> > allow automount_t var_yp_t:file read;
> >=20
> > #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D policykit_t =3D=3D=3D=3D=3D=3D=
> =3D=3D=3D=3D=3D=3D=3D=3D
> > #!!!! This avc is allowed in the current policy
> >=20
> > allow policykit_t hi_reserved_port_t:tcp_socket name_bind;
> > #!!!! This avc is allowed in the current policy
> >=20
> > allow policykit_t kerberos_port_t:tcp_socket name_bind;
> > #!!!! This avc is allowed in the current policy
> >=20
> > allow policykit_t kprop_port_t:tcp_socket name_bind;
> > #!!!! This avc is allowed in the current policy
> >=20
> > allow policykit_t portmap_port_t:tcp_socket name_connect;
> > #!!!! This avc is allowed in the current policy
> >=20
> > allow policykit_t var_yp_t:dir search;
> >=20
> > #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D sshd_t =3D=3D=3D=3D=3D=3D=3D=3D=
> =3D=3D=3D=3D=3D=3D
> > #!!!! This avc is allowed in the current policy
> >=20
> > allow sshd_t ftp_port_t:tcp_socket name_bind;
> > #!!!! This avc is allowed in the current policy
> >=20
> > allow sshd_t hi_reserved_port_t:tcp_socket name_bind;
> > #!!!! This avc is allowed in the current policy
> >=20
> > allow sshd_t hi_reserved_port_t:udp_socket name_bind;
> > #!!!! This avc is allowed in the current policy
> >=20
> > allow sshd_t spamd_port_t:tcp_socket name_bind;
> > #!!!! This avc is allowed in the current policy
> >=20
> > allow sshd_t var_yp_t:dir search;
> >=20
> > #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D system_dbusd_t =3D=3D=3D=3D=3D=
> =3D=3D=3D=3D=3D=3D=3D=3D=3D
> > #!!!! This avc is allowed in the current policy
> >=20
> > allow system_dbusd_t hi_reserved_port_t:tcp_socket name_bind;
> > #!!!! This avc is allowed in the current policy
> >=20
> > allow system_dbusd_t portmap_port_t:tcp_socket name_connect;
> > #!!!! This avc is allowed in the current policy
> >=20
> > allow system_dbusd_t rndc_port_t:tcp_socket name_bind;
> >=20
> > #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D xdm_dbusd_t =3D=3D=3D=3D=3D=3D=
> =3D=3D=3D=3D=3D=3D=3D=3D
> > #!!!! This avc is allowed in the current policy
> >=20
> > allow xdm_dbusd_t hi_reserved_port_t:tcp_socket name_bind;
> > #!!!! This avc is allowed in the current policy
> >=20
> > allow xdm_dbusd_t portmap_port_t:tcp_socket name_connect;
> > --
> > selinux mailing list
> > selinux@lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
> --=-W/U2hq2saAQVGsubU72y
> Content-Type: application/pgp-signature; name="signature.asc"
> Content-Description: This is a digitally signed message part
> Content-Transfer-Encoding: 7bit
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
>
> iQIcBAABCgAGBQJOfabTAAoJEBqhFeh0z2SRaEwQAIuB5ZFYNJ qlBCsaE7HYaYuP
> pugsjSpzeQheJQC/i2Qa6BCLIKNiLmlkc3J5jBf4msvw3JTfLzgyWJCgo5gQBkLv
> y5JeRd81fgtEzhIIeS2Bg3J/HfXVcxmaAAvSXHvo4DQk7L+STT7ikCfsekPshOvP
> Y+8hOp/24IGm+wsteUMYGZy+JAHsDmSVGyGKMjo881cyCSclInwkoDTUD Cv8vm+i
> 3qUs04ahfkfiBlpAH9a0SoVA9Tbnw5N1kbbvY3Up1qqvwtSXIM z2yfAB2uLQ9uBw
> NB0xzpYoBl6b3WLLBx/1DiZG0tmZbJ9q7bLGf22/5V1FArH2FpQ0MAPYxLtby/9x
> iOQiBdDKyAinz4EBMcGmB6B9M+YQROTtrMoTHm5J19J6e46vgt/vvfRcPJYna8DL
> gtHMQroB9Ky/yCHiG2nxsvoNDi7OUw5TX344px4hFDR2wESdrJ8wV9mIhjgwIs jB
> uQWJ4IIbYxJzJ578Le5dEWs9cfNqdEAPm24j9BPWo4VNyUL/ck3LRF/VdiW6rzF9
> fA66bPW2pqe15wpOtR831rO6PQN6Zdne6s+qRQYTu5IiRKINDi 4HYe+dAzJzAuel
> avVkH84mznAy2wvoNYX5gvaeVBAE8ZqxMZOzF8cSnqCu+RZ+N/bj53XVN9Wsc9bU
> qFJjNtZOZfKswyZUYHSk
> =+k0S
> -----END PGP SIGNATURE-----
>
> --=-W/U2hq2saAQVGsubU72y--
>
>
> --===============4683794954818469668==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> --===============4683794954818469668==--
>


--

Regards,

David Highley
Highley Recommended, Inc. Phone: (206) 669-0081
2927 SW 339th Street WEB: http://www.highley-recommended.com
Federal Way, WA 98023-7732
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Dominick Grift 09-25-2011 08:10 AM
List of avc for fedora 16
 
On Sat, 2011-09-24 at 19:45 -0700, David Highley wrote:
> "Dominick Grift wrote:"
> >
> >
> > --===============4683794954818469668==
> > Content-Type: multipart/signed; micalg="pgp-sha512";
> > protocol="application/pgp-signature"; boundary="=-W/U2hq2saAQVGsubU72y"
> >
> >
> > --=-W/U2hq2saAQVGsubU72y
> > Content-Type: text/plain; charset="UTF-8"
> > Content-Transfer-Encoding: quoted-printable
> >
> > On Fri, 2011-09-23 at 20:10 -0700, David Highley wrote:
> > > I checked bugzilla but did not see anything about this list of avc
> > > alerts for fedora 16. Should they be reported or is something miss
> > > configured?
> > >=20
> > >=20
> >
> > sesebool-P allow_ypbind on
>
> The bool gets turned off in the reboot process.

Thats strange, is systemd turning it back off?

> It solves almost all the
> avc issues but a few remained which were solved with this policy file:
> module mysystemd 1.0;
>
> require {
> type systemd_logind_t;
> type var_yp_t;
> type node_t;
> type hi_reserved_port_t;
> class udp_socket { name_bind bind create setopt node_bind };
> class file { read open };
> }
>
> #============= systemd_logind_t ==============
> allow systemd_logind_t hi_reserved_port_t:udp_socket name_bind;
> allow systemd_logind_t node_t:udp_socket node_bind;
> allow systemd_logind_t self:udp_socket { bind create setopt };
> allow systemd_logind_t var_yp_t:file { read open };

This is likely a bug, Could you file a bugzilla for the above?

> We also need to do a systemctl restart autofs.service after boot up. We
> use NIS and auto mounted home directories.
>

> > should fix it. if it does than this should not be reported
> >
> > There is a way to check whether a specified AVC denial can be allowed,
> > for example your first avc denial:
> >
> > > #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D accountsd_t =3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D
> > > #!!!! This avc is allowed in the current policy
> > >=20
> > > allow accountsd_t hi_reserved_port_t:tcp_socket name_bind;
> > > #!!!! This avc is allowed in the current policy
> >
> > # sesearch -SCT --allow -s accountsd_t -t hi_reserved_port_t -c
> > tcp_socket -p name_bind
> >
> > Found 1 semantic av rules:
> > DT allow nsswitch_domain rpc_port_type : tcp_socket name_bind ;
> > [ allow_ypbind ]
> >
> > This tells me that this access can be allowed by toggling the
> > allow_ypbind boolean to enabled. The DT tells me that this boolean is
> > currently disabled.
> >
> > > allow accountsd_t portmap_port_t:tcp_socket name_connect;
> > > #!!!! This avc is allowed in the current policy
> > >=20
> > > allow accountsd_t var_yp_t:dir search;
> > >=20
> > > #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D automount_t =3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D
> > > #!!!! This avc is allowed in the current policy
> > >=20
> > > allow automount_t var_yp_t:file read;
> > >=20
> > > #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D policykit_t =3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D
> > > #!!!! This avc is allowed in the current policy
> > >=20
> > > allow policykit_t hi_reserved_port_t:tcp_socket name_bind;
> > > #!!!! This avc is allowed in the current policy
> > >=20
> > > allow policykit_t kerberos_port_t:tcp_socket name_bind;
> > > #!!!! This avc is allowed in the current policy
> > >=20
> > > allow policykit_t kprop_port_t:tcp_socket name_bind;
> > > #!!!! This avc is allowed in the current policy
> > >=20
> > > allow policykit_t portmap_port_t:tcp_socket name_connect;
> > > #!!!! This avc is allowed in the current policy
> > >=20
> > > allow policykit_t var_yp_t:dir search;
> > >=20
> > > #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D sshd_t =3D=3D=3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D
> > > #!!!! This avc is allowed in the current policy
> > >=20
> > > allow sshd_t ftp_port_t:tcp_socket name_bind;
> > > #!!!! This avc is allowed in the current policy
> > >=20
> > > allow sshd_t hi_reserved_port_t:tcp_socket name_bind;
> > > #!!!! This avc is allowed in the current policy
> > >=20
> > > allow sshd_t hi_reserved_port_t:udp_socket name_bind;
> > > #!!!! This avc is allowed in the current policy
> > >=20
> > > allow sshd_t spamd_port_t:tcp_socket name_bind;
> > > #!!!! This avc is allowed in the current policy
> > >=20
> > > allow sshd_t var_yp_t:dir search;
> > >=20
> > > #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D system_dbusd_t =3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D
> > > #!!!! This avc is allowed in the current policy
> > >=20
> > > allow system_dbusd_t hi_reserved_port_t:tcp_socket name_bind;
> > > #!!!! This avc is allowed in the current policy
> > >=20
> > > allow system_dbusd_t portmap_port_t:tcp_socket name_connect;
> > > #!!!! This avc is allowed in the current policy
> > >=20
> > > allow system_dbusd_t rndc_port_t:tcp_socket name_bind;
> > >=20
> > > #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D xdm_dbusd_t =3D=3D=3D=3D=3D=3D=
> > =3D=3D=3D=3D=3D=3D=3D=3D
> > > #!!!! This avc is allowed in the current policy
> > >=20
> > > allow xdm_dbusd_t hi_reserved_port_t:tcp_socket name_bind;
> > > #!!!! This avc is allowed in the current policy
> > >=20
> > > allow xdm_dbusd_t portmap_port_t:tcp_socket name_connect;
> > > --
> > > selinux mailing list
> > > selinux@lists.fedoraproject.org
> > > https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> >
> > --=-W/U2hq2saAQVGsubU72y
> > Content-Type: application/pgp-signature; name="signature.asc"
> > Content-Description: This is a digitally signed message part
> > Content-Transfer-Encoding: 7bit
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.11 (GNU/Linux)
> >
> > iQIcBAABCgAGBQJOfabTAAoJEBqhFeh0z2SRaEwQAIuB5ZFYNJ qlBCsaE7HYaYuP
> > pugsjSpzeQheJQC/i2Qa6BCLIKNiLmlkc3J5jBf4msvw3JTfLzgyWJCgo5gQBkLv
> > y5JeRd81fgtEzhIIeS2Bg3J/HfXVcxmaAAvSXHvo4DQk7L+STT7ikCfsekPshOvP
> > Y+8hOp/24IGm+wsteUMYGZy+JAHsDmSVGyGKMjo881cyCSclInwkoDTUD Cv8vm+i
> > 3qUs04ahfkfiBlpAH9a0SoVA9Tbnw5N1kbbvY3Up1qqvwtSXIM z2yfAB2uLQ9uBw
> > NB0xzpYoBl6b3WLLBx/1DiZG0tmZbJ9q7bLGf22/5V1FArH2FpQ0MAPYxLtby/9x
> > iOQiBdDKyAinz4EBMcGmB6B9M+YQROTtrMoTHm5J19J6e46vgt/vvfRcPJYna8DL
> > gtHMQroB9Ky/yCHiG2nxsvoNDi7OUw5TX344px4hFDR2wESdrJ8wV9mIhjgwIs jB
> > uQWJ4IIbYxJzJ578Le5dEWs9cfNqdEAPm24j9BPWo4VNyUL/ck3LRF/VdiW6rzF9
> > fA66bPW2pqe15wpOtR831rO6PQN6Zdne6s+qRQYTu5IiRKINDi 4HYe+dAzJzAuel
> > avVkH84mznAy2wvoNYX5gvaeVBAE8ZqxMZOzF8cSnqCu+RZ+N/bj53XVN9Wsc9bU
> > qFJjNtZOZfKswyZUYHSk
> > =+k0S
> > -----END PGP SIGNATURE-----
> >
> > --=-W/U2hq2saAQVGsubU72y--
> >
> >
> > --===============4683794954818469668==
> > Content-Type: text/plain; charset="us-ascii"
> > MIME-Version: 1.0
> > Content-Transfer-Encoding: 7bit
> > Content-Disposition: inline
> >
> > --
> > selinux mailing list
> > selinux@lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> > --===============4683794954818469668==--
> >
>
>


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Miroslav Grepl 09-25-2011 06:20 PM
List of avc for fedora 16
 
On 09/25/2011 10:10 AM, Dominick Grift wrote:
> On Sat, 2011-09-24 at 19:45 -0700, David Highley wrote:
>> "Dominick Grift wrote:"
>>>
>>> --===============4683794954818469668==
>>> Content-Type: multipart/signed; micalg="pgp-sha512";
>>> protocol="application/pgp-signature"; boundary="=-W/U2hq2saAQVGsubU72y"
>>>
>>>
>>> --=-W/U2hq2saAQVGsubU72y
>>> Content-Type: text/plain; charset="UTF-8"
>>> Content-Transfer-Encoding: quoted-printable
>>>
>>> On Fri, 2011-09-23 at 20:10 -0700, David Highley wrote:
>>>> I checked bugzilla but did not see anything about this list of avc
>>>> alerts for fedora 16. Should they be reported or is something miss
>>>> configured?
>>>> =20
>>>> =20
>>> sesebool-P allow_ypbind on
>> The bool gets turned off in the reboot process.
> Thats strange, is systemd turning it back off?
>
>> It solves almost all the
>> avc issues but a few remained which were solved with this policy file:
>> module mysystemd 1.0;
>>
>> require {
>> type systemd_logind_t;
>> type var_yp_t;
>> type node_t;
>> type hi_reserved_port_t;
>> class udp_socket { name_bind bind create setopt node_bind };
>> class file { read open };
>> }
>>
>> #============= systemd_logind_t ==============
>> allow systemd_logind_t hi_reserved_port_t:udp_socket name_bind;
>> allow systemd_logind_t node_t:udp_socket node_bind;
>> allow systemd_logind_t self:udp_socket { bind create setopt };
>> allow systemd_logind_t var_yp_t:file { read open };
> This is likely a bug, Could you file a bugzilla for the above?
Yes, please, open a new bug. Thank you.

Regards,
Miroslav
>
>> We also need to do a systemctl restart autofs.service after boot up. We
>> use NIS and auto mounted home directories.
>>
>>> should fix it. if it does than this should not be reported
>>>
>>> There is a way to check whether a specified AVC denial can be allowed,
>>> for example your first avc denial:
>>>
>>>> #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D accountsd_t =3D=3D=3D=3D=3D=3D=
>>> =3D=3D=3D=3D=3D=3D=3D=3D
>>>> #!!!! This avc is allowed in the current policy
>>>> =20
>>>> allow accountsd_t hi_reserved_port_t:tcp_socket name_bind;
>>>> #!!!! This avc is allowed in the current policy
>>> # sesearch -SCT --allow -s accountsd_t -t hi_reserved_port_t -c
>>> tcp_socket -p name_bind
>>>
>>> Found 1 semantic av rules:
>>> DT allow nsswitch_domain rpc_port_type : tcp_socket name_bind ;
>>> [ allow_ypbind ]
>>>
>>> This tells me that this access can be allowed by toggling the
>>> allow_ypbind boolean to enabled. The DT tells me that this boolean is
>>> currently disabled.
>>>
>>>> allow accountsd_t portmap_port_t:tcp_socket name_connect;
>>>> #!!!! This avc is allowed in the current policy
>>>> =20
>>>> allow accountsd_t var_yp_t:dir search;
>>>> =20
>>>> #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D automount_t =3D=3D=3D=3D=3D=3D=
>>> =3D=3D=3D=3D=3D=3D=3D=3D
>>>> #!!!! This avc is allowed in the current policy
>>>> =20
>>>> allow automount_t var_yp_t:file read;
>>>> =20
>>>> #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D policykit_t =3D=3D=3D=3D=3D=3D=
>>> =3D=3D=3D=3D=3D=3D=3D=3D
>>>> #!!!! This avc is allowed in the current policy
>>>> =20
>>>> allow policykit_t hi_reserved_port_t:tcp_socket name_bind;
>>>> #!!!! This avc is allowed in the current policy
>>>> =20
>>>> allow policykit_t kerberos_port_t:tcp_socket name_bind;
>>>> #!!!! This avc is allowed in the current policy
>>>> =20
>>>> allow policykit_t kprop_port_t:tcp_socket name_bind;
>>>> #!!!! This avc is allowed in the current policy
>>>> =20
>>>> allow policykit_t portmap_port_t:tcp_socket name_connect;
>>>> #!!!! This avc is allowed in the current policy
>>>> =20
>>>> allow policykit_t var_yp_t:dir search;
>>>> =20
>>>> #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D sshd_t =3D=3D=3D=3D=3D=3D=3D=3D=
>>> =3D=3D=3D=3D=3D=3D
>>>> #!!!! This avc is allowed in the current policy
>>>> =20
>>>> allow sshd_t ftp_port_t:tcp_socket name_bind;
>>>> #!!!! This avc is allowed in the current policy
>>>> =20
>>>> allow sshd_t hi_reserved_port_t:tcp_socket name_bind;
>>>> #!!!! This avc is allowed in the current policy
>>>> =20
>>>> allow sshd_t hi_reserved_port_t:udp_socket name_bind;
>>>> #!!!! This avc is allowed in the current policy
>>>> =20
>>>> allow sshd_t spamd_port_t:tcp_socket name_bind;
>>>> #!!!! This avc is allowed in the current policy
>>>> =20
>>>> allow sshd_t var_yp_t:dir search;
>>>> =20
>>>> #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D system_dbusd_t =3D=3D=3D=3D=3D=
>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D
>>>> #!!!! This avc is allowed in the current policy
>>>> =20
>>>> allow system_dbusd_t hi_reserved_port_t:tcp_socket name_bind;
>>>> #!!!! This avc is allowed in the current policy
>>>> =20
>>>> allow system_dbusd_t portmap_port_t:tcp_socket name_connect;
>>>> #!!!! This avc is allowed in the current policy
>>>> =20
>>>> allow system_dbusd_t rndc_port_t:tcp_socket name_bind;
>>>> =20
>>>> #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D xdm_dbusd_t =3D=3D=3D=3D=3D=3D=
>>> =3D=3D=3D=3D=3D=3D=3D=3D
>>>> #!!!! This avc is allowed in the current policy
>>>> =20
>>>> allow xdm_dbusd_t hi_reserved_port_t:tcp_socket name_bind;
>>>> #!!!! This avc is allowed in the current policy
>>>> =20
>>>> allow xdm_dbusd_t portmap_port_t:tcp_socket name_connect;
>>>> --
>>>> selinux mailing list
>>>> selinux@lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>> --=-W/U2hq2saAQVGsubU72y
>>> Content-Type: application/pgp-signature; name="signature.asc"
>>> Content-Description: This is a digitally signed message part
>>> Content-Transfer-Encoding: 7bit
>>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.11 (GNU/Linux)
>>>
>>> iQIcBAABCgAGBQJOfabTAAoJEBqhFeh0z2SRaEwQAIuB5ZFYNJ qlBCsaE7HYaYuP
>>> pugsjSpzeQheJQC/i2Qa6BCLIKNiLmlkc3J5jBf4msvw3JTfLzgyWJCgo5gQBkLv
>>> y5JeRd81fgtEzhIIeS2Bg3J/HfXVcxmaAAvSXHvo4DQk7L+STT7ikCfsekPshOvP
>>> Y+8hOp/24IGm+wsteUMYGZy+JAHsDmSVGyGKMjo881cyCSclInwkoDTUD Cv8vm+i
>>> 3qUs04ahfkfiBlpAH9a0SoVA9Tbnw5N1kbbvY3Up1qqvwtSXIM z2yfAB2uLQ9uBw
>>> NB0xzpYoBl6b3WLLBx/1DiZG0tmZbJ9q7bLGf22/5V1FArH2FpQ0MAPYxLtby/9x
>>> iOQiBdDKyAinz4EBMcGmB6B9M+YQROTtrMoTHm5J19J6e46vgt/vvfRcPJYna8DL
>>> gtHMQroB9Ky/yCHiG2nxsvoNDi7OUw5TX344px4hFDR2wESdrJ8wV9mIhjgwIs jB
>>> uQWJ4IIbYxJzJ578Le5dEWs9cfNqdEAPm24j9BPWo4VNyUL/ck3LRF/VdiW6rzF9
>>> fA66bPW2pqe15wpOtR831rO6PQN6Zdne6s+qRQYTu5IiRKINDi 4HYe+dAzJzAuel
>>> avVkH84mznAy2wvoNYX5gvaeVBAE8ZqxMZOzF8cSnqCu+RZ+N/bj53XVN9Wsc9bU
>>> qFJjNtZOZfKswyZUYHSk
>>> =+k0S
>>> -----END PGP SIGNATURE-----
>>>
>>> --=-W/U2hq2saAQVGsubU72y--
>>>
>>>
>>> --===============4683794954818469668==
>>> Content-Type: text/plain; charset="us-ascii"
>>> MIME-Version: 1.0
>>> Content-Transfer-Encoding: 7bit
>>> Content-Disposition: inline
>>>
>>> --
>>> selinux mailing list
>>> selinux@lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>> --===============4683794954818469668==--
>>>
>>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Dominick Grift 09-25-2011 06:35 PM
List of avc for fedora 16
 
On Sun, 2011-09-25 at 20:20 +0200, Miroslav Grepl wrote:
> On 09/25/2011 10:10 AM, Dominick Grift wrote:
> > On Sat, 2011-09-24 at 19:45 -0700, David Highley wrote:
> >> "Dominick Grift wrote:"
> >>>
> >>> --===============4683794954818469668==
> >>> Content-Type: multipart/signed; micalg="pgp-sha512";
> >>> protocol="application/pgp-signature"; boundary="=-W/U2hq2saAQVGsubU72y"
> >>>
> >>>
> >>> --=-W/U2hq2saAQVGsubU72y
> >>> Content-Type: text/plain; charset="UTF-8"
> >>> Content-Transfer-Encoding: quoted-printable
> >>>
> >>> On Fri, 2011-09-23 at 20:10 -0700, David Highley wrote:
> >>>> I checked bugzilla but did not see anything about this list of avc
> >>>> alerts for fedora 16. Should they be reported or is something miss
> >>>> configured?
> >>>> =20
> >>>> =20
> >>> sesebool-P allow_ypbind on
> >> The bool gets turned off in the reboot process.
> > Thats strange, is systemd turning it back off?
> >
> >> It solves almost all the
> >> avc issues but a few remained which were solved with this policy file:
> >> module mysystemd 1.0;
> >>
> >> require {
> >> type systemd_logind_t;
> >> type var_yp_t;
> >> type node_t;
> >> type hi_reserved_port_t;
> >> class udp_socket { name_bind bind create setopt node_bind };
> >> class file { read open };
> >> }
> >>
> >> #============= systemd_logind_t ==============
> >> allow systemd_logind_t hi_reserved_port_t:udp_socket name_bind;
> >> allow systemd_logind_t node_t:udp_socket node_bind;
> >> allow systemd_logind_t self:udp_socket { bind create setopt };
> >> allow systemd_logind_t var_yp_t:file { read open };
> > This is likely a bug, Could you file a bugzilla for the above?
> Yes, please, open a new bug. Thank you.

proposed fix:

diff --git policy/modules/system/systemd.te
policy/modules/system/systemd.te
index e50a989..d5e32c2 100644
--- policy/modules/system/systemd.te
+++ policy/modules/system/systemd.te
@@ -130,6 +130,10 @@
')

optional_policy(`
+ nis_use_ypbind(systemd_logind_t)
+')
+
+optional_policy(`
# It links /run/user/$USER/X11/display to /tmp/.X11-unix/X* sock_file
xserver_search_xdm_tmp_dirs(systemd_logind_t)
')

>
> Regards,
> Miroslav
> >
> >> We also need to do a systemctl restart autofs.service after boot up. We
> >> use NIS and auto mounted home directories.
> >>
> >>> should fix it. if it does than this should not be reported
> >>>
> >>> There is a way to check whether a specified AVC denial can be allowed,
> >>> for example your first avc denial:
> >>>
> >>>> #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D accountsd_t =3D=3D=3D=3D=3D=3D=
> >>> =3D=3D=3D=3D=3D=3D=3D=3D
> >>>> #!!!! This avc is allowed in the current policy
> >>>> =20
> >>>> allow accountsd_t hi_reserved_port_t:tcp_socket name_bind;
> >>>> #!!!! This avc is allowed in the current policy
> >>> # sesearch -SCT --allow -s accountsd_t -t hi_reserved_port_t -c
> >>> tcp_socket -p name_bind
> >>>
> >>> Found 1 semantic av rules:
> >>> DT allow nsswitch_domain rpc_port_type : tcp_socket name_bind ;
> >>> [ allow_ypbind ]
> >>>
> >>> This tells me that this access can be allowed by toggling the
> >>> allow_ypbind boolean to enabled. The DT tells me that this boolean is
> >>> currently disabled.
> >>>
> >>>> allow accountsd_t portmap_port_t:tcp_socket name_connect;
> >>>> #!!!! This avc is allowed in the current policy
> >>>> =20
> >>>> allow accountsd_t var_yp_t:dir search;
> >>>> =20
> >>>> #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D automount_t =3D=3D=3D=3D=3D=3D=
> >>> =3D=3D=3D=3D=3D=3D=3D=3D
> >>>> #!!!! This avc is allowed in the current policy
> >>>> =20
> >>>> allow automount_t var_yp_t:file read;
> >>>> =20
> >>>> #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D policykit_t =3D=3D=3D=3D=3D=3D=
> >>> =3D=3D=3D=3D=3D=3D=3D=3D
> >>>> #!!!! This avc is allowed in the current policy
> >>>> =20
> >>>> allow policykit_t hi_reserved_port_t:tcp_socket name_bind;
> >>>> #!!!! This avc is allowed in the current policy
> >>>> =20
> >>>> allow policykit_t kerberos_port_t:tcp_socket name_bind;
> >>>> #!!!! This avc is allowed in the current policy
> >>>> =20
> >>>> allow policykit_t kprop_port_t:tcp_socket name_bind;
> >>>> #!!!! This avc is allowed in the current policy
> >>>> =20
> >>>> allow policykit_t portmap_port_t:tcp_socket name_connect;
> >>>> #!!!! This avc is allowed in the current policy
> >>>> =20
> >>>> allow policykit_t var_yp_t:dir search;
> >>>> =20
> >>>> #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D sshd_t =3D=3D=3D=3D=3D=3D=3D=3D=
> >>> =3D=3D=3D=3D=3D=3D
> >>>> #!!!! This avc is allowed in the current policy
> >>>> =20
> >>>> allow sshd_t ftp_port_t:tcp_socket name_bind;
> >>>> #!!!! This avc is allowed in the current policy
> >>>> =20
> >>>> allow sshd_t hi_reserved_port_t:tcp_socket name_bind;
> >>>> #!!!! This avc is allowed in the current policy
> >>>> =20
> >>>> allow sshd_t hi_reserved_port_t:udp_socket name_bind;
> >>>> #!!!! This avc is allowed in the current policy
> >>>> =20
> >>>> allow sshd_t spamd_port_t:tcp_socket name_bind;
> >>>> #!!!! This avc is allowed in the current policy
> >>>> =20
> >>>> allow sshd_t var_yp_t:dir search;
> >>>> =20
> >>>> #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D system_dbusd_t =3D=3D=3D=3D=3D=
> >>> =3D=3D=3D=3D=3D=3D=3D=3D=3D
> >>>> #!!!! This avc is allowed in the current policy
> >>>> =20
> >>>> allow system_dbusd_t hi_reserved_port_t:tcp_socket name_bind;
> >>>> #!!!! This avc is allowed in the current policy
> >>>> =20
> >>>> allow system_dbusd_t portmap_port_t:tcp_socket name_connect;
> >>>> #!!!! This avc is allowed in the current policy
> >>>> =20
> >>>> allow system_dbusd_t rndc_port_t:tcp_socket name_bind;
> >>>> =20
> >>>> #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D xdm_dbusd_t =3D=3D=3D=3D=3D=3D=
> >>> =3D=3D=3D=3D=3D=3D=3D=3D
> >>>> #!!!! This avc is allowed in the current policy
> >>>> =20
> >>>> allow xdm_dbusd_t hi_reserved_port_t:tcp_socket name_bind;
> >>>> #!!!! This avc is allowed in the current policy
> >>>> =20
> >>>> allow xdm_dbusd_t portmap_port_t:tcp_socket name_connect;
> >>>> --
> >>>> selinux mailing list
> >>>> selinux@lists.fedoraproject.org
> >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>>
> >>> --=-W/U2hq2saAQVGsubU72y
> >>> Content-Type: application/pgp-signature; name="signature.asc"
> >>> Content-Description: This is a digitally signed message part
> >>> Content-Transfer-Encoding: 7bit
> >>>
> >>> -----BEGIN PGP SIGNATURE-----
> >>> Version: GnuPG v1.4.11 (GNU/Linux)
> >>>
> >>> iQIcBAABCgAGBQJOfabTAAoJEBqhFeh0z2SRaEwQAIuB5ZFYNJ qlBCsaE7HYaYuP
> >>> pugsjSpzeQheJQC/i2Qa6BCLIKNiLmlkc3J5jBf4msvw3JTfLzgyWJCgo5gQBkLv
> >>> y5JeRd81fgtEzhIIeS2Bg3J/HfXVcxmaAAvSXHvo4DQk7L+STT7ikCfsekPshOvP
> >>> Y+8hOp/24IGm+wsteUMYGZy+JAHsDmSVGyGKMjo881cyCSclInwkoDTUD Cv8vm+i
> >>> 3qUs04ahfkfiBlpAH9a0SoVA9Tbnw5N1kbbvY3Up1qqvwtSXIM z2yfAB2uLQ9uBw
> >>> NB0xzpYoBl6b3WLLBx/1DiZG0tmZbJ9q7bLGf22/5V1FArH2FpQ0MAPYxLtby/9x
> >>> iOQiBdDKyAinz4EBMcGmB6B9M+YQROTtrMoTHm5J19J6e46vgt/vvfRcPJYna8DL
> >>> gtHMQroB9Ky/yCHiG2nxsvoNDi7OUw5TX344px4hFDR2wESdrJ8wV9mIhjgwIs jB
> >>> uQWJ4IIbYxJzJ578Le5dEWs9cfNqdEAPm24j9BPWo4VNyUL/ck3LRF/VdiW6rzF9
> >>> fA66bPW2pqe15wpOtR831rO6PQN6Zdne6s+qRQYTu5IiRKINDi 4HYe+dAzJzAuel
> >>> avVkH84mznAy2wvoNYX5gvaeVBAE8ZqxMZOzF8cSnqCu+RZ+N/bj53XVN9Wsc9bU
> >>> qFJjNtZOZfKswyZUYHSk
> >>> =+k0S
> >>> -----END PGP SIGNATURE-----
> >>>
> >>> --=-W/U2hq2saAQVGsubU72y--
> >>>
> >>>
> >>> --===============4683794954818469668==
> >>> Content-Type: text/plain; charset="us-ascii"
> >>> MIME-Version: 1.0
> >>> Content-Transfer-Encoding: 7bit
> >>> Content-Disposition: inline
> >>>
> >>> --
> >>> selinux mailing list
> >>> selinux@lists.fedoraproject.org
> >>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>> --===============4683794954818469668==--
> >>>
> >>
> >
> > --
> > selinux mailing list
> > selinux@lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

David Highley 09-26-2011 02:38 AM
List of avc for fedora 16
 
"Dominick Grift wrote:"
>
>
> --=-QXDzVu1MWO4munhPKxie
> Content-Type: text/plain; charset="UTF-8"
> Content-Transfer-Encoding: quoted-printable
>
> On Sun, 2011-09-25 at 20:20 +0200, Miroslav Grepl wrote:
> > On 09/25/2011 10:10 AM, Dominick Grift wrote:
> > > On Sat, 2011-09-24 at 19:45 -0700, David Highley wrote:
> > >> "Dominick Grift wrote:"
> > >>>
> > >>> --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D46837 94954818469668=3D=
> =3D
> > >>> Content-Type: multipart/signed; micalg=3D"pgp-sha512";
> > >>> protocol=3D"application/pgp-signature"; boundary=3D"=3D-W/U2hq2saAQV=
> GsubU72y"
> > >>>
> > >>>
> > >>> --=3D-W/U2hq2saAQVGsubU72y
> > >>> Content-Type: text/plain; charset=3D"UTF-8"
> > >>> Content-Transfer-Encoding: quoted-printable
> > >>>
> > >>> On Fri, 2011-09-23 at 20:10 -0700, David Highley wrote:
> > >>>> I checked bugzilla but did not see anything about this list of avc
> > >>>> alerts for fedora 16. Should they be reported or is something miss
> > >>>> configured?
> > >>>> =3D20
> > >>>> =3D20
> > >>> setsebool-P allow_ypbind on

Submitted bug report 741141 on selinux bool getting turned off.

> > >> The bool gets turned off in the reboot process.
> > > Thats strange, is systemd turning it back off?
> > >
> > >> It solves almost all the
> > >> avc issues but a few remained which were solved with this policy file:
> > >> module mysystemd 1.0;
> > >>
> > >> require {
> > >> type systemd_logind_t;
> > >> type var_yp_t;
> > >> type node_t;
> > >> type hi_reserved_port_t;
> > >> class udp_socket { name_bind bind create setopt node_bind };
> > >> class file { read open };
> > >> }
> > >>
> > >> #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D systemd_logind_t =3D=3D=3D=3D=
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> > >> allow systemd_logind_t hi_reserved_port_t:udp_socket name_bind;
> > >> allow systemd_logind_t node_t:udp_socket node_bind;
> > >> allow systemd_logind_t self:udp_socket { bind create setopt };
> > >> allow systemd_logind_t var_yp_t:file { read open };
> > > This is likely a bug, Could you file a bugzilla for the above?
> > Yes, please, open a new bug. Thank you.

Submitted bug report 741143 for the above avc issue.

>
> proposed fix:
>
> diff --git policy/modules/system/systemd.te
> policy/modules/system/systemd.te
> index e50a989..d5e32c2 100644
> --- policy/modules/system/systemd.te
> +++ policy/modules/system/systemd.te
> @@ -130,6 +130,10 @@
> ')
> =20
> optional_policy(`
> + nis_use_ypbind(systemd_logind_t)
> +')
> +
> +optional_policy(`
> # It links /run/user/$USER/X11/display to /tmp/.X11-unix/X* sock_file
> xserver_search_xdm_tmp_dirs(systemd_logind_t)
> ')
>
> >=20
> > Regards,
> > Miroslav
> > >
> > >> We also need to do a systemctl restart autofs.service after boot up. W=
> e
> > >> use NIS and auto mounted home directories.
> > >>
> > >>> should fix it. if it does than this should not be reported
> > >>>
> > >>> There is a way to check whether a specified AVC denial can be allowed=
> ,
> > >>> for example your first avc denial:
> > >>>
> > >>>> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3 D=3D3D=3D3D=3D3D a=
> ccountsd_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
> > >>> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
> > >>>> #!!!! This avc is allowed in the current policy
> > >>>> =3D20
> > >>>> allow accountsd_t hi_reserved_port_t:tcp_socket name_bind;
> > >>>> #!!!! This avc is allowed in the current policy
> > >>> # sesearch -SCT --allow -s accountsd_t -t hi_reserved_port_t -c
> > >>> tcp_socket -p name_bind
> > >>>
> > >>> Found 1 semantic av rules:
> > >>> DT allow nsswitch_domain rpc_port_type : tcp_socket name_bind ;
> > >>> [ allow_ypbind ]
> > >>>
> > >>> This tells me that this access can be allowed by toggling the
> > >>> allow_ypbind boolean to enabled. The DT tells me that this boolean is
> > >>> currently disabled.
> > >>>
> > >>>> allow accountsd_t portmap_port_t:tcp_socket name_connect;
> > >>>> #!!!! This avc is allowed in the current policy
> > >>>> =3D20
> > >>>> allow accountsd_t var_yp_t:dir search;
> > >>>> =3D20
> > >>>> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3 D=3D3D=3D3D=3D3D a=
> utomount_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
> > >>> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
> > >>>> #!!!! This avc is allowed in the current policy
> > >>>> =3D20
> > >>>> allow automount_t var_yp_t:file read;
> > >>>> =3D20
> > >>>> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3 D=3D3D=3D3D=3D3D p=
> olicykit_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
> > >>> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
> > >>>> #!!!! This avc is allowed in the current policy
> > >>>> =3D20
> > >>>> allow policykit_t hi_reserved_port_t:tcp_socket name_bind;
> > >>>> #!!!! This avc is allowed in the current policy
> > >>>> =3D20
> > >>>> allow policykit_t kerberos_port_t:tcp_socket name_bind;
> > >>>> #!!!! This avc is allowed in the current policy
> > >>>> =3D20
> > >>>> allow policykit_t kprop_port_t:tcp_socket name_bind;
> > >>>> #!!!! This avc is allowed in the current policy
> > >>>> =3D20
> > >>>> allow policykit_t portmap_port_t:tcp_socket name_connect;
> > >>>> #!!!! This avc is allowed in the current policy
> > >>>> =3D20
> > >>>> allow policykit_t var_yp_t:dir search;
> > >>>> =3D20
> > >>>> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3 D=3D3D=3D3D=3D3D s=
> shd_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
> > >>> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
> > >>>> #!!!! This avc is allowed in the current policy
> > >>>> =3D20
> > >>>> allow sshd_t ftp_port_t:tcp_socket name_bind;
> > >>>> #!!!! This avc is allowed in the current policy
> > >>>> =3D20
> > >>>> allow sshd_t hi_reserved_port_t:tcp_socket name_bind;
> > >>>> #!!!! This avc is allowed in the current policy
> > >>>> =3D20
> > >>>> allow sshd_t hi_reserved_port_t:udp_socket name_bind;
> > >>>> #!!!! This avc is allowed in the current policy
> > >>>> =3D20
> > >>>> allow sshd_t spamd_port_t:tcp_socket name_bind;
> > >>>> #!!!! This avc is allowed in the current policy
> > >>>> =3D20
> > >>>> allow sshd_t var_yp_t:dir search;
> > >>>> =3D20
> > >>>> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3 D=3D3D=3D3D=3D3D s=
> ystem_dbusd_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D
> > >>> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
> > >>>> #!!!! This avc is allowed in the current policy
> > >>>> =3D20
> > >>>> allow system_dbusd_t hi_reserved_port_t:tcp_socket name_bind;
> > >>>> #!!!! This avc is allowed in the current policy
> > >>>> =3D20
> > >>>> allow system_dbusd_t portmap_port_t:tcp_socket name_connect;
> > >>>> #!!!! This avc is allowed in the current policy
> > >>>> =3D20
> > >>>> allow system_dbusd_t rndc_port_t:tcp_socket name_bind;
> > >>>> =3D20
> > >>>> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3 D=3D3D=3D3D=3D3D x=
> dm_dbusd_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
> > >>> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
> > >>>> #!!!! This avc is allowed in the current policy
> > >>>> =3D20
> > >>>> allow xdm_dbusd_t hi_reserved_port_t:tcp_socket name_bind;
> > >>>> #!!!! This avc is allowed in the current policy
> > >>>> =3D20
> > >>>> allow xdm_dbusd_t portmap_port_t:tcp_socket name_connect;
> > >>>> --
> > >>>> selinux mailing list
> > >>>> selinux@lists.fedoraproject.org
> > >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> > >>>
> > >>> --=3D-W/U2hq2saAQVGsubU72y
> > >>> Content-Type: application/pgp-signature; name=3D"signature.asc"
> > >>> Content-Description: This is a digitally signed message part
> > >>> Content-Transfer-Encoding: 7bit
> > >>>
> > >>> -----BEGIN PGP SIGNATURE-----
> > >>> Version: GnuPG v1.4.11 (GNU/Linux)
> > >>>
> > >>> iQIcBAABCgAGBQJOfabTAAoJEBqhFeh0z2SRaEwQAIuB5ZFYNJ qlBCsaE7HYaYuP
> > >>> pugsjSpzeQheJQC/i2Qa6BCLIKNiLmlkc3J5jBf4msvw3JTfLzgyWJCgo5gQBkLv
> > >>> y5JeRd81fgtEzhIIeS2Bg3J/HfXVcxmaAAvSXHvo4DQk7L+STT7ikCfsekPshOvP
> > >>> Y+8hOp/24IGm+wsteUMYGZy+JAHsDmSVGyGKMjo881cyCSclInwkoDTUD Cv8vm+i
> > >>> 3qUs04ahfkfiBlpAH9a0SoVA9Tbnw5N1kbbvY3Up1qqvwtSXIM z2yfAB2uLQ9uBw
> > >>> NB0xzpYoBl6b3WLLBx/1DiZG0tmZbJ9q7bLGf22/5V1FArH2FpQ0MAPYxLtby/9x
> > >>> iOQiBdDKyAinz4EBMcGmB6B9M+YQROTtrMoTHm5J19J6e46vgt/vvfRcPJYna8DL
> > >>> gtHMQroB9Ky/yCHiG2nxsvoNDi7OUw5TX344px4hFDR2wESdrJ8wV9mIhjgwIs jB
> > >>> uQWJ4IIbYxJzJ578Le5dEWs9cfNqdEAPm24j9BPWo4VNyUL/ck3LRF/VdiW6rzF9
> > >>> fA66bPW2pqe15wpOtR831rO6PQN6Zdne6s+qRQYTu5IiRKINDi 4HYe+dAzJzAuel
> > >>> avVkH84mznAy2wvoNYX5gvaeVBAE8ZqxMZOzF8cSnqCu+RZ+N/bj53XVN9Wsc9bU
> > >>> qFJjNtZOZfKswyZUYHSk
> > >>> =3D+k0S
> > >>> -----END PGP SIGNATURE-----
> > >>>
> > >>> --=3D-W/U2hq2saAQVGsubU72y--
> > >>>
> > >>>
> > >>> --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D46837 94954818469668=3D=
> =3D
> > >>> Content-Type: text/plain; charset=3D"us-ascii"
> > >>> MIME-Version: 1.0
> > >>> Content-Transfer-Encoding: 7bit
> > >>> Content-Disposition: inline
> > >>>
> > >>> --
> > >>> selinux mailing list
> > >>> selinux@lists.fedoraproject.org
> > >>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> > >>> --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D46837 94954818469668=3D=
> =3D--
> > >>>
> > >>
> > >
> > > --
> > > selinux mailing list
> > > selinux@lists.fedoraproject.org
> > > https://admin.fedoraproject.org/mailman/listinfo/selinux
> >=20
>
>
> --=-QXDzVu1MWO4munhPKxie
> Content-Type: application/pgp-signature; name="signature.asc"
> Content-Description: This is a digitally signed message part
> Content-Transfer-Encoding: 7bit
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
>
> iQIcBAABCgAGBQJOf3SHAAoJEBqhFeh0z2SR9lAP/Az14jMxonOPezVm3fQu8orZ
> 6cs79nIhdS+xSvzWnYBG/X3uhHy56LNbGhZEbDzrFLxPOYTLYDROA0CAnYLJCZe1
> fMt0pBjYARqj8e/jBFVDmJgJe7CJWhjJ8+QAC/iNPVGyBRYZliRBV03qfeVNbQIR
> n8Va/5W2Bw56xMyQ2w3QQgteccxgl3wddPyWwTC4rVfva9cXIQhM3PJ nIDVXeQrY
> DvxhymeHbukkl2Jnk2nzLv10St20Gu/zg3CPgzodVGjUenUuF3P8AxB7yJ0/phfU
> Z20Bi3sGChENQs0cdEkZoIhRy8tVPlEuUgyyyePh+UNxLIZUkO f4EXnHEQ/WFNsv
> ZRkiKQLzWd79sDVwXMXU2kGzonyUbmAdXvhwZtSIYNj1aToNXF qKpHXRS0cuhR1+
> UVYp4/q/cSLqyrpPR85Ou6BDvE8gMIulglzSLYdjSxgvGVfd5XXBCojlRG Gs2gbC
> mE6eWH5XfiJCYsTQeBaxV0vVo4li7kb4/TL2OM169X3dTeId43dcKEri0XMlLaEQ
> lzlPg5YN2FzKsZjfR4uggl8u3HjjBOXX/bAbuZkr8kAl4pn5JXLbK3TC6xs/q0Yd
> dTFIfSoLlip/b/gyjjpfqZKAQa0+QIMxuZg95urKH6ykxb3KqGCf4q3gMAP4uMwW
> T/EOLkcmEJLL552gPgma
> =yVbI
> -----END PGP SIGNATURE-----
>
> --=-QXDzVu1MWO4munhPKxie--
>


--

Regards,

David Highley
Highley Recommended, Inc. Phone: (206) 669-0081
2927 SW 339th Street WEB: http://www.highley-recommended.com
Federal Way, WA 98023-7732
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Daniel J Walsh 09-26-2011 01:27 PM
List of avc for fedora 16
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/25/2011 10:38 PM, David Highley wrote:
> "Dominick Grift wrote:"
>>
>>
>> --=-QXDzVu1MWO4munhPKxie Content-Type: text/plain;
>> charset="UTF-8" Content-Transfer-Encoding: quoted-printable
>>
>> On Sun, 2011-09-25 at 20:20 +0200, Miroslav Grepl wrote:
>>> On 09/25/2011 10:10 AM, Dominick Grift wrote:
>>>> On Sat, 2011-09-24 at 19:45 -0700, David Highley wrote:
>>>>> "Dominick Grift wrote:"
>>>>>>
>>>>>> --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D46837 94954818469668=3D=
>>
>>>>>>
=3D
>>>>>> Content-Type: multipart/signed; micalg=3D"pgp-sha512";
>>>>>> protocol=3D"application/pgp-signature";
>>>>>> boundary=3D"=3D-W/U2hq2saAQV=
>> GsubU72y"
>>>>>>
>>>>>>
>>>>>> --=3D-W/U2hq2saAQVGsubU72y Content-Type: text/plain;
>>>>>> charset=3D"UTF-8" Content-Transfer-Encoding:
>>>>>> quoted-printable
>>>>>>
>>>>>> On Fri, 2011-09-23 at 20:10 -0700, David Highley wrote:
>>>>>>> I checked bugzilla but did not see anything about this
>>>>>>> list of avc alerts for fedora 16. Should they be
>>>>>>> reported or is something miss configured? =3D20 =3D20
>>>>>> setsebool-P allow_ypbind on
>
> Submitted bug report 741141 on selinux bool getting turned off.
>
>>>>> The bool gets turned off in the reboot process.
>>>> Thats strange, is systemd turning it back off?
>>>>
>>>>> It solves almost all the avc issues but a few remained
>>>>> which were solved with this policy file: module mysystemd
>>>>> 1.0;
>>>>>
>>>>> require { type systemd_logind_t; type var_yp_t; type
>>>>> node_t; type hi_reserved_port_t; class udp_socket {
>>>>> name_bind bind create setopt node_bind }; class file { read
>>>>> open }; }
>>>>>
>>>>> #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D systemd_logind_t
>>>>> =3D=3D=3D=3D=
>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>>>>> allow systemd_logind_t hi_reserved_port_t:udp_socket
>>>>> name_bind; allow systemd_logind_t node_t:udp_socket
>>>>> node_bind; allow systemd_logind_t self:udp_socket { bind
>>>>> create setopt }; allow systemd_logind_t var_yp_t:file {
>>>>> read open };
>>>> This is likely a bug, Could you file a bugzilla for the
>>>> above?
>>> Yes, please, open a new bug. Thank you.
>
> Submitted bug report 741143 for the above avc issue.
>
>>
>> proposed fix:
>>
>> diff --git policy/modules/system/systemd.te
>> policy/modules/system/systemd.te index e50a989..d5e32c2 100644
>> --- policy/modules/system/systemd.te +++
>> policy/modules/system/systemd.te @@ -130,6 +130,10 @@ ') =20
>> optional_policy(` + nis_use_ypbind(systemd_logind_t) +') +
>> +optional_policy(` # It links /run/user/$USER/X11/display to
>> /tmp/.X11-unix/X* sock_file
>> xserver_search_xdm_tmp_dirs(systemd_logind_t) ')
>>
>>> =20 Regards, Miroslav
>>>>
>>>>> We also need to do a systemctl restart autofs.service after
>>>>> boot up. W=
>> e
>>>>> use NIS and auto mounted home directories.
>>>>>
>>>>>> should fix it. if it does than this should not be
>>>>>> reported
>>>>>>
>>>>>> There is a way to check whether a specified AVC denial
>>>>>> can be allowed=
>> ,
>>>>>> for example your first avc denial:
>>>>>>
>>>>>>> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3 D=3D3D=3D3D=3D3D
>>>>>>> a=
>> ccountsd_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
>>>>>> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
>>>>>>> #!!!! This avc is allowed in the current policy =3D20
>>>>>>> allow accountsd_t hi_reserved_port_t:tcp_socket
>>>>>>> name_bind; #!!!! This avc is allowed in the current
>>>>>>> policy
>>>>>> # sesearch -SCT --allow -s accountsd_t -t
>>>>>> hi_reserved_port_t -c tcp_socket -p name_bind
>>>>>>
>>>>>> Found 1 semantic av rules: DT allow nsswitch_domain
>>>>>> rpc_port_type : tcp_socket name_bind ; [ allow_ypbind ]
>>>>>>
>>>>>> This tells me that this access can be allowed by toggling
>>>>>> the allow_ypbind boolean to enabled. The DT tells me that
>>>>>> this boolean is currently disabled.
>>>>>>
>>>>>>> allow accountsd_t portmap_port_t:tcp_socket
>>>>>>> name_connect; #!!!! This avc is allowed in the current
>>>>>>> policy =3D20 allow accountsd_t var_yp_t:dir search;
>>>>>>> =3D20
>>>>>>> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3 D=3D3D=3D3D=3D3D
>>>>>>> a=
>> utomount_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
>>>>>> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
>>>>>>> #!!!! This avc is allowed in the current policy =3D20
>>>>>>> allow automount_t var_yp_t:file read; =3D20
>>>>>>> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3 D=3D3D=3D3D=3D3D
>>>>>>> p=
>> olicykit_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
>>>>>> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
>>>>>>> #!!!! This avc is allowed in the current policy =3D20
>>>>>>> allow policykit_t hi_reserved_port_t:tcp_socket
>>>>>>> name_bind; #!!!! This avc is allowed in the current
>>>>>>> policy =3D20 allow policykit_t
>>>>>>> kerberos_port_t:tcp_socket name_bind; #!!!! This avc is
>>>>>>> allowed in the current policy =3D20 allow policykit_t
>>>>>>> kprop_port_t:tcp_socket name_bind; #!!!! This avc is
>>>>>>> allowed in the current policy =3D20 allow policykit_t
>>>>>>> portmap_port_t:tcp_socket name_connect; #!!!! This avc
>>>>>>> is allowed in the current policy =3D20 allow
>>>>>>> policykit_t var_yp_t:dir search; =3D20
>>>>>>> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3 D=3D3D=3D3D=3D3D
>>>>>>> s=
>> shd_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
>>>>>> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
>>>>>>> #!!!! This avc is allowed in the current policy =3D20
>>>>>>> allow sshd_t ftp_port_t:tcp_socket name_bind; #!!!!
>>>>>>> This avc is allowed in the current policy =3D20 allow
>>>>>>> sshd_t hi_reserved_port_t:tcp_socket name_bind; #!!!!
>>>>>>> This avc is allowed in the current policy =3D20 allow
>>>>>>> sshd_t hi_reserved_port_t:udp_socket name_bind; #!!!!
>>>>>>> This avc is allowed in the current policy =3D20 allow
>>>>>>> sshd_t spamd_port_t:tcp_socket name_bind; #!!!! This
>>>>>>> avc is allowed in the current policy =3D20 allow sshd_t
>>>>>>> var_yp_t:dir search; =3D20
>>>>>>> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3 D=3D3D=3D3D=3D3D
>>>>>>> s=
>> ystem_dbusd_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D
>>>>>> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
>>>>>>> #!!!! This avc is allowed in the current policy =3D20
>>>>>>> allow system_dbusd_t hi_reserved_port_t:tcp_socket
>>>>>>> name_bind; #!!!! This avc is allowed in the current
>>>>>>> policy =3D20 allow system_dbusd_t
>>>>>>> portmap_port_t:tcp_socket name_connect; #!!!! This avc
>>>>>>> is allowed in the current policy =3D20 allow
>>>>>>> system_dbusd_t rndc_port_t:tcp_socket name_bind; =3D20
>>>>>>> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3 D=3D3D=3D3D=3D3D
>>>>>>> x=
>> dm_dbusd_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
>>>>>> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
>>>>>>> #!!!! This avc is allowed in the current policy =3D20
>>>>>>> allow xdm_dbusd_t hi_reserved_port_t:tcp_socket
>>>>>>> name_bind; #!!!! This avc is allowed in the current
>>>>>>> policy =3D20 allow xdm_dbusd_t
>>>>>>> portmap_port_t:tcp_socket name_connect; -- selinux
>>>>>>> mailing list selinux@lists.fedoraproject.org
>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>
>>>>>>
>>>>>>>
- --=3D-W/U2hq2saAQVGsubU72y
>>>>>> Content-Type: application/pgp-signature;
>>>>>> name=3D"signature.asc" Content-Description: This is a
>>>>>> digitally signed message part Content-Transfer-Encoding:
>>>>>> 7bit
>>>>>>
>>>>>> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11
>>>>>> (GNU/Linux)
>>>>>>
>>>>>> iQIcBAABCgAGBQJOfabTAAoJEBqhFeh0z2SRaEwQAIuB5ZFYNJ qlBCsaE7HYaYuP
>>>>>>
>>>>>>
pugsjSpzeQheJQC/i2Qa6BCLIKNiLmlkc3J5jBf4msvw3JTfLzgyWJCgo5gQBkLv
>>>>>> y5JeRd81fgtEzhIIeS2Bg3J/HfXVcxmaAAvSXHvo4DQk7L+STT7ikCfsekPshOvP
>>>>>>
>>>>>>
Y+8hOp/24IGm+wsteUMYGZy+JAHsDmSVGyGKMjo881cyCSclInwkoDTUD Cv8vm+i
>>>>>> 3qUs04ahfkfiBlpAH9a0SoVA9Tbnw5N1kbbvY3Up1qqvwtSXIM z2yfAB2uLQ9uBw
>>>>>>
>>>>>>
NB0xzpYoBl6b3WLLBx/1DiZG0tmZbJ9q7bLGf22/5V1FArH2FpQ0MAPYxLtby/9x
>>>>>> iOQiBdDKyAinz4EBMcGmB6B9M+YQROTtrMoTHm5J19J6e46vgt/vvfRcPJYna8DL
>>>>>>
>>>>>>
gtHMQroB9Ky/yCHiG2nxsvoNDi7OUw5TX344px4hFDR2wESdrJ8wV9mIhjgwIs jB
>>>>>> uQWJ4IIbYxJzJ578Le5dEWs9cfNqdEAPm24j9BPWo4VNyUL/ck3LRF/VdiW6rzF9
>>>>>>
>>>>>>
fA66bPW2pqe15wpOtR831rO6PQN6Zdne6s+qRQYTu5IiRKINDi 4HYe+dAzJzAuel
>>>>>> avVkH84mznAy2wvoNYX5gvaeVBAE8ZqxMZOzF8cSnqCu+RZ+N/bj53XVN9Wsc9bU
>>>>>>
>>>>>>
qFJjNtZOZfKswyZUYHSk
>>>>>> =3D+k0S -----END PGP SIGNATURE-----
>>>>>>
>>>>>> --=3D-W/U2hq2saAQVGsubU72y--
>>>>>>
>>>>>>
>>>>>> --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D46837 94954818469668=3D=
>>
>>>>>>
=3D
>>>>>> Content-Type: text/plain; charset=3D"us-ascii"
>>>>>> MIME-Version: 1.0 Content-Transfer-Encoding: 7bit
>>>>>> Content-Disposition: inline
>>>>>>
>>>>>> -- selinux mailing list selinux@lists.fedoraproject.org
>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>> --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D46837 94954818469668=3D=
>>
>>>>>>
=3D--
>>>>>>
>>>>>
>>>>
>>>> -- selinux mailing list selinux@lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>> =20
>>
>>
>> --=-QXDzVu1MWO4munhPKxie Content-Type: application/pgp-signature;
>> name="signature.asc" Content-Description: This is a digitally
>> signed message part Content-Transfer-Encoding: 7bit
>>
>> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
>>
>> iQIcBAABCgAGBQJOf3SHAAoJEBqhFeh0z2SR9lAP/Az14jMxonOPezVm3fQu8orZ
>> 6cs79nIhdS+xSvzWnYBG/X3uhHy56LNbGhZEbDzrFLxPOYTLYDROA0CAnYLJCZe1
>> fMt0pBjYARqj8e/jBFVDmJgJe7CJWhjJ8+QAC/iNPVGyBRYZliRBV03qfeVNbQIR
>> n8Va/5W2Bw56xMyQ2w3QQgteccxgl3wddPyWwTC4rVfva9cXIQhM3PJ nIDVXeQrY
>> DvxhymeHbukkl2Jnk2nzLv10St20Gu/zg3CPgzodVGjUenUuF3P8AxB7yJ0/phfU
>> Z20Bi3sGChENQs0cdEkZoIhRy8tVPlEuUgyyyePh+UNxLIZUkO f4EXnHEQ/WFNsv
>> ZRkiKQLzWd79sDVwXMXU2kGzonyUbmAdXvhwZtSIYNj1aToNXF qKpHXRS0cuhR1+
>> UVYp4/q/cSLqyrpPR85Ou6BDvE8gMIulglzSLYdjSxgvGVfd5XXBCojlRG Gs2gbC
>> mE6eWH5XfiJCYsTQeBaxV0vVo4li7kb4/TL2OM169X3dTeId43dcKEri0XMlLaEQ
>> lzlPg5YN2FzKsZjfR4uggl8u3HjjBOXX/bAbuZkr8kAl4pn5JXLbK3TC6xs/q0Yd
>> dTFIfSoLlip/b/gyjjpfqZKAQa0+QIMxuZg95urKH6ykxb3KqGCf4q3gMAP4uMwW
>> T/EOLkcmEJLL552gPgma =yVbI -----END PGP SIGNATURE-----
>>
>> --=-QXDzVu1MWO4munhPKxie--
>>
>
>


We should use auth_use_nsswitch(systemd_logind_t) I think.

Are you setting the allow_ypbind boolean permanently

setsebool -P allow_ypbind 1

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6AfcwACgkQrlYvE4MpobOT1ACfVmiCMrnt1h xtUQCNDgB6CkfH
FyMAn1/Ui1rbdA5aGjYfbpA3S/xuOnmJ
=AOGA
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

David Highley 09-26-2011 04:01 PM
List of avc for fedora 16
 
"Daniel J Walsh wrote:"
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/25/2011 10:38 PM, David Highley wrote:
> > "Dominick Grift wrote:"
> >>
> >>
> >> --=-QXDzVu1MWO4munhPKxie Content-Type: text/plain;
> >> charset="UTF-8" Content-Transfer-Encoding: quoted-printable
> >>
> >> On Sun, 2011-09-25 at 20:20 +0200, Miroslav Grepl wrote:
> >>> On 09/25/2011 10:10 AM, Dominick Grift wrote:
> >>>> On Sat, 2011-09-24 at 19:45 -0700, David Highley wrote:
> >>>>> "Dominick Grift wrote:"
> >>>>>>
> >>>>>> --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D46837 94954818469668=3D=
> >>
> >>>>>>
> =3D
> >>>>>> Content-Type: multipart/signed; micalg=3D"pgp-sha512";
> >>>>>> protocol=3D"application/pgp-signature";
> >>>>>> boundary=3D"=3D-W/U2hq2saAQV=
> >> GsubU72y"
> >>>>>>
> >>>>>>
> >>>>>> --=3D-W/U2hq2saAQVGsubU72y Content-Type: text/plain;
> >>>>>> charset=3D"UTF-8" Content-Transfer-Encoding:
> >>>>>> quoted-printable
> >>>>>>
> >>>>>> On Fri, 2011-09-23 at 20:10 -0700, David Highley wrote:
> >>>>>>> I checked bugzilla but did not see anything about this
> >>>>>>> list of avc alerts for fedora 16. Should they be
> >>>>>>> reported or is something miss configured? =3D20 =3D20
> >>>>>> setsebool-P allow_ypbind on
> >
> > Submitted bug report 741141 on selinux bool getting turned off.
> >
> >>>>> The bool gets turned off in the reboot process.
> >>>> Thats strange, is systemd turning it back off?
> >>>>
> >>>>> It solves almost all the avc issues but a few remained
> >>>>> which were solved with this policy file: module mysystemd
> >>>>> 1.0;
> >>>>>
> >>>>> require { type systemd_logind_t; type var_yp_t; type
> >>>>> node_t; type hi_reserved_port_t; class udp_socket {
> >>>>> name_bind bind create setopt node_bind }; class file { read
> >>>>> open }; }
> >>>>>
> >>>>> #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D systemd_logind_t
> >>>>> =3D=3D=3D=3D=
> >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> >>>>> allow systemd_logind_t hi_reserved_port_t:udp_socket
> >>>>> name_bind; allow systemd_logind_t node_t:udp_socket
> >>>>> node_bind; allow systemd_logind_t self:udp_socket { bind
> >>>>> create setopt }; allow systemd_logind_t var_yp_t:file {
> >>>>> read open };
> >>>> This is likely a bug, Could you file a bugzilla for the
> >>>> above?
> >>> Yes, please, open a new bug. Thank you.
> >
> > Submitted bug report 741143 for the above avc issue.
> >
> >>
> >> proposed fix:
> >>
> >> diff --git policy/modules/system/systemd.te
> >> policy/modules/system/systemd.te index e50a989..d5e32c2 100644
> >> --- policy/modules/system/systemd.te +++
> >> policy/modules/system/systemd.te @@ -130,6 +130,10 @@ ') =20
> >> optional_policy(` + nis_use_ypbind(systemd_logind_t) +') +
> >> +optional_policy(` # It links /run/user/$USER/X11/display to
> >> /tmp/.X11-unix/X* sock_file
> >> xserver_search_xdm_tmp_dirs(systemd_logind_t) ')
> >>
> >>> =20 Regards, Miroslav
> >>>>
> >>>>> We also need to do a systemctl restart autofs.service after
> >>>>> boot up. W=
> >> e
> >>>>> use NIS and auto mounted home directories.
> >>>>>
> >>>>>> should fix it. if it does than this should not be
> >>>>>> reported
> >>>>>>
> >>>>>> There is a way to check whether a specified AVC denial
> >>>>>> can be allowed=
> >> ,
> >>>>>> for example your first avc denial:
> >>>>>>
> >>>>>>> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3 D=3D3D=3D3D=3D3D
> >>>>>>> a=
> >> ccountsd_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
> >>>>>> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
> >>>>>>> #!!!! This avc is allowed in the current policy =3D20
> >>>>>>> allow accountsd_t hi_reserved_port_t:tcp_socket
> >>>>>>> name_bind; #!!!! This avc is allowed in the current
> >>>>>>> policy
> >>>>>> # sesearch -SCT --allow -s accountsd_t -t
> >>>>>> hi_reserved_port_t -c tcp_socket -p name_bind
> >>>>>>
> >>>>>> Found 1 semantic av rules: DT allow nsswitch_domain
> >>>>>> rpc_port_type : tcp_socket name_bind ; [ allow_ypbind ]
> >>>>>>
> >>>>>> This tells me that this access can be allowed by toggling
> >>>>>> the allow_ypbind boolean to enabled. The DT tells me that
> >>>>>> this boolean is currently disabled.
> >>>>>>
> >>>>>>> allow accountsd_t portmap_port_t:tcp_socket
> >>>>>>> name_connect; #!!!! This avc is allowed in the current
> >>>>>>> policy =3D20 allow accountsd_t var_yp_t:dir search;
> >>>>>>> =3D20
> >>>>>>> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3 D=3D3D=3D3D=3D3D
> >>>>>>> a=
> >> utomount_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
> >>>>>> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
> >>>>>>> #!!!! This avc is allowed in the current policy =3D20
> >>>>>>> allow automount_t var_yp_t:file read; =3D20
> >>>>>>> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3 D=3D3D=3D3D=3D3D
> >>>>>>> p=
> >> olicykit_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
> >>>>>> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
> >>>>>>> #!!!! This avc is allowed in the current policy =3D20
> >>>>>>> allow policykit_t hi_reserved_port_t:tcp_socket
> >>>>>>> name_bind; #!!!! This avc is allowed in the current
> >>>>>>> policy =3D20 allow policykit_t
> >>>>>>> kerberos_port_t:tcp_socket name_bind; #!!!! This avc is
> >>>>>>> allowed in the current policy =3D20 allow policykit_t
> >>>>>>> kprop_port_t:tcp_socket name_bind; #!!!! This avc is
> >>>>>>> allowed in the current policy =3D20 allow policykit_t
> >>>>>>> portmap_port_t:tcp_socket name_connect; #!!!! This avc
> >>>>>>> is allowed in the current policy =3D20 allow
> >>>>>>> policykit_t var_yp_t:dir search; =3D20
> >>>>>>> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3 D=3D3D=3D3D=3D3D
> >>>>>>> s=
> >> shd_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
> >>>>>> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
> >>>>>>> #!!!! This avc is allowed in the current policy =3D20
> >>>>>>> allow sshd_t ftp_port_t:tcp_socket name_bind; #!!!!
> >>>>>>> This avc is allowed in the current policy =3D20 allow
> >>>>>>> sshd_t hi_reserved_port_t:tcp_socket name_bind; #!!!!
> >>>>>>> This avc is allowed in the current policy =3D20 allow
> >>>>>>> sshd_t hi_reserved_port_t:udp_socket name_bind; #!!!!
> >>>>>>> This avc is allowed in the current policy =3D20 allow
> >>>>>>> sshd_t spamd_port_t:tcp_socket name_bind; #!!!! This
> >>>>>>> avc is allowed in the current policy =3D20 allow sshd_t
> >>>>>>> var_yp_t:dir search; =3D20
> >>>>>>> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3 D=3D3D=3D3D=3D3D
> >>>>>>> s=
> >> ystem_dbusd_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D
> >>>>>> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
> >>>>>>> #!!!! This avc is allowed in the current policy =3D20
> >>>>>>> allow system_dbusd_t hi_reserved_port_t:tcp_socket
> >>>>>>> name_bind; #!!!! This avc is allowed in the current
> >>>>>>> policy =3D20 allow system_dbusd_t
> >>>>>>> portmap_port_t:tcp_socket name_connect; #!!!! This avc
> >>>>>>> is allowed in the current policy =3D20 allow
> >>>>>>> system_dbusd_t rndc_port_t:tcp_socket name_bind; =3D20
> >>>>>>> #=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3 D=3D3D=3D3D=3D3D
> >>>>>>> x=
> >> dm_dbusd_t =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
> >>>>>> =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
> >>>>>>> #!!!! This avc is allowed in the current policy =3D20
> >>>>>>> allow xdm_dbusd_t hi_reserved_port_t:tcp_socket
> >>>>>>> name_bind; #!!!! This avc is allowed in the current
> >>>>>>> policy =3D20 allow xdm_dbusd_t
> >>>>>>> portmap_port_t:tcp_socket name_connect; -- selinux
> >>>>>>> mailing list selinux@lists.fedoraproject.org
> >>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>>>>>
> >>>>>>
> >>>>>>>
> - --=3D-W/U2hq2saAQVGsubU72y
> >>>>>> Content-Type: application/pgp-signature;
> >>>>>> name=3D"signature.asc" Content-Description: This is a
> >>>>>> digitally signed message part Content-Transfer-Encoding:
> >>>>>> 7bit
> >>>>>>
> >>>>>> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11
> >>>>>> (GNU/Linux)
> >>>>>>
> >>>>>> iQIcBAABCgAGBQJOfabTAAoJEBqhFeh0z2SRaEwQAIuB5ZFYNJ qlBCsaE7HYaYuP
> >>>>>>
> >>>>>>
> pugsjSpzeQheJQC/i2Qa6BCLIKNiLmlkc3J5jBf4msvw3JTfLzgyWJCgo5gQBkLv
> >>>>>> y5JeRd81fgtEzhIIeS2Bg3J/HfXVcxmaAAvSXHvo4DQk7L+STT7ikCfsekPshOvP
> >>>>>>
> >>>>>>
> Y+8hOp/24IGm+wsteUMYGZy+JAHsDmSVGyGKMjo881cyCSclInwkoDTUD Cv8vm+i
> >>>>>> 3qUs04ahfkfiBlpAH9a0SoVA9Tbnw5N1kbbvY3Up1qqvwtSXIM z2yfAB2uLQ9uBw
> >>>>>>
> >>>>>>
> NB0xzpYoBl6b3WLLBx/1DiZG0tmZbJ9q7bLGf22/5V1FArH2FpQ0MAPYxLtby/9x
> >>>>>> iOQiBdDKyAinz4EBMcGmB6B9M+YQROTtrMoTHm5J19J6e46vgt/vvfRcPJYna8DL
> >>>>>>
> >>>>>>
> gtHMQroB9Ky/yCHiG2nxsvoNDi7OUw5TX344px4hFDR2wESdrJ8wV9mIhjgwIs jB
> >>>>>> uQWJ4IIbYxJzJ578Le5dEWs9cfNqdEAPm24j9BPWo4VNyUL/ck3LRF/VdiW6rzF9
> >>>>>>
> >>>>>>
> fA66bPW2pqe15wpOtR831rO6PQN6Zdne6s+qRQYTu5IiRKINDi 4HYe+dAzJzAuel
> >>>>>> avVkH84mznAy2wvoNYX5gvaeVBAE8ZqxMZOzF8cSnqCu+RZ+N/bj53XVN9Wsc9bU
> >>>>>>
> >>>>>>
> qFJjNtZOZfKswyZUYHSk
> >>>>>> =3D+k0S -----END PGP SIGNATURE-----
> >>>>>>
> >>>>>> --=3D-W/U2hq2saAQVGsubU72y--
> >>>>>>
> >>>>>>
> >>>>>> --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D46837 94954818469668=3D=
> >>
> >>>>>>
> =3D
> >>>>>> Content-Type: text/plain; charset=3D"us-ascii"
> >>>>>> MIME-Version: 1.0 Content-Transfer-Encoding: 7bit
> >>>>>> Content-Disposition: inline
> >>>>>>
> >>>>>> -- selinux mailing list selinux@lists.fedoraproject.org
> >>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>>>>> --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D46837 94954818469668=3D=
> >>
> >>>>>>
> =3D--
> >>>>>>
> >>>>>
> >>>>
> >>>> -- selinux mailing list selinux@lists.fedoraproject.org
> >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>> =20
> >>
> >>
> >> --=-QXDzVu1MWO4munhPKxie Content-Type: application/pgp-signature;
> >> name="signature.asc" Content-Description: This is a digitally
> >> signed message part Content-Transfer-Encoding: 7bit
> >>
> >> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
> >>
> >> iQIcBAABCgAGBQJOf3SHAAoJEBqhFeh0z2SR9lAP/Az14jMxonOPezVm3fQu8orZ
> >> 6cs79nIhdS+xSvzWnYBG/X3uhHy56LNbGhZEbDzrFLxPOYTLYDROA0CAnYLJCZe1
> >> fMt0pBjYARqj8e/jBFVDmJgJe7CJWhjJ8+QAC/iNPVGyBRYZliRBV03qfeVNbQIR
> >> n8Va/5W2Bw56xMyQ2w3QQgteccxgl3wddPyWwTC4rVfva9cXIQhM3PJ nIDVXeQrY
> >> DvxhymeHbukkl2Jnk2nzLv10St20Gu/zg3CPgzodVGjUenUuF3P8AxB7yJ0/phfU
> >> Z20Bi3sGChENQs0cdEkZoIhRy8tVPlEuUgyyyePh+UNxLIZUkO f4EXnHEQ/WFNsv
> >> ZRkiKQLzWd79sDVwXMXU2kGzonyUbmAdXvhwZtSIYNj1aToNXF qKpHXRS0cuhR1+
> >> UVYp4/q/cSLqyrpPR85Ou6BDvE8gMIulglzSLYdjSxgvGVfd5XXBCojlRG Gs2gbC
> >> mE6eWH5XfiJCYsTQeBaxV0vVo4li7kb4/TL2OM169X3dTeId43dcKEri0XMlLaEQ
> >> lzlPg5YN2FzKsZjfR4uggl8u3HjjBOXX/bAbuZkr8kAl4pn5JXLbK3TC6xs/q0Yd
> >> dTFIfSoLlip/b/gyjjpfqZKAQa0+QIMxuZg95urKH6ykxb3KqGCf4q3gMAP4uMwW
> >> T/EOLkcmEJLL552gPgma =yVbI -----END PGP SIGNATURE-----
> >>
> >> --=-QXDzVu1MWO4munhPKxie--
> >>
> >
> >
>
>
> We should use auth_use_nsswitch(systemd_logind_t) I think.
>
> Are you setting the allow_ypbind boolean permanently
>
> setsebool -P allow_ypbind 1

Yes, it is set but there seems to be an issue with ypbind.service
turning it off during a reboot. See bug 741141 which I also submitted.

>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk6AfcwACgkQrlYvE4MpobOT1ACfVmiCMrnt1h xtUQCNDgB6CkfH
> FyMAn1/Ui1rbdA5aGjYfbpA3S/xuOnmJ
> =AOGA
> -----END PGP SIGNATURE-----
>


--

Regards,

David Highley
Highley Recommended, Inc. Phone: (206) 669-0081
2927 SW 339th Street WEB: http://www.highley-recommended.com
Federal Way, WA 98023-7732
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 12:18 PM.

VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.