Randy Barlow a écrit :
Greetings!
The ejabberd Fedora package has its own SELinux policy module that it ships[0]. A user has reported an issue with an SELinux denial with the default ejabberd config[1].
I spent some time trying to modify the policy to allow the name_bind on the port, but it seems that my attempts result in it still being denied:
allow ejabberd_t unreserved_port_t:udp_socket name_bind;
Hi Randy,
Thank you so much for your work! I'm spending time every year to fix AVCs for ejabberd (on my systems) without going deep in this issue. But I stored all .te files, so I'm happy to be able to compare with your .te file :)
File: ejabberd-udp-unreserved_port-fedora-33.te
""" module ejabberd-udp-unreserved_port-fedora-33 1.0;
require { type unreserved_port_t; type ejabberd_t; class udp_socket name_bind; }
#============= ejabberd_t ==============
#!!!! This avc can be allowed using the boolean 'nis_enabled' allow ejabberd_t unreserved_port_t:udp_socket name_bind; """
As I commented on the ticket, I also found that setting the nis_enabled bool on my system to true would solve the problem.
How did you do that... I mean, you have found the Graal...
However, I think it would be ideal if I could adjust the ejabberd module to do this on the users' behalf, as it is not obvious to the average user (or even to me) that this boolean could be the solution to the problem.
The Graal, I said :)
Is there something I could adjust in the ejabberd policy that would resolve this issue? Thanks.
On my side, I will make a fresh install on fresh box to see what is exactly required or not, then compare, then send you PR :)
I also want to see what is required with the default ejabberd config and with my "advanced" config file.
Best regards, Casper