As is my usual state with things SELinux I am a bit confused about a problem I was trying to troubleshoot involving opendkim.
Essentially I was getting this: node=host.example.com type=AVC msg=audit(1374091410.640:248952): avc: denied { name_bind } for pid=4528 comm="opendkim" src=8891 scontext=unconfined_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
Ok simple enough I think, so I start to search the rules: sesearch -s dkim_milter_t -t port_t --allow Found 4 semantic av rules: allow dkim_milter_t port_t : tcp_socket { name_bind name_connect } ; allow dkim_milter_t port_t : udp_socket name_bind ; allow dkim_milter_t port_type : tcp_socket { recv_msg send_msg } ; allow dkim_milter_t port_type : udp_socket { recv_msg send_msg } ;
Umm, ok doesn't that pretty much list it as allowed there?
Anyway I pump the denial through audit2allow just for kicks:
#============= dkim_milter_t ==============
#!!!! This avc can be allowed using the boolean 'allow_ypbind' allow dkim_milter_t port_t:tcp_socket name_bind;
Again still a little confused by why this rule is necessary when I can find it in the policy. But I get even more confused why setting allow_ypbind to 1 fixes the issue.
What am I missing here?
If you could please CC me I only get the digests.
-Erinn
Sorry to respond to myself but I forgot the vitals:
RHEL 6.4 x64 selinux-policy-3.7.19-195.el6_4.12.noarch
-Erinn
On Wed, 2013-07-17 at 14:08 -0800, Erinn Looney-Triggs wrote:
Sorry to respond to myself but I forgot the vitals:
RHEL 6.4 x64 selinux-policy-3.7.19-195.el6_4.12.noarch
-Erinn
Se its allowed to bind tcp socket to generic tcp port_t type ports if the allow_ypbind boolean is set ( sesearch with -ASCT would show you that(
allow_ypbind boolean is not recommended though since it is very coarse.
Instead use semanage to label the port (tcp:8891) with one of the available port types (seinfo -axport_type), then use audit2allow, after reproducing the event, to allow bind tcp socket to ports with that type
You can also create a new port type and use that:
cat > mytest.te <<EOF policy_module(mytest, 1.0.0) type myport_t; corenet_port(myport_t)
optional_policy(` gen_require(` type dkim_milter_t; ')
allow dkim_milter_t myport_t:tcp_socket name_bind; ') EOF
make -f /usr/share/selinux/devel/Makefile mytest.pp sudo semodule -i mytest.pp
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On 07/17/2013 02:19 PM, Dominick Grift wrote:
On Wed, 2013-07-17 at 14:08 -0800, Erinn Looney-Triggs wrote:
Sorry to respond to myself but I forgot the vitals:
RHEL 6.4 x64 selinux-policy-3.7.19-195.el6_4.12.noarch
-Erinn
Se its allowed to bind tcp socket to generic tcp port_t type ports if the allow_ypbind boolean is set ( sesearch with -ASCT would show you that(
allow_ypbind boolean is not recommended though since it is very coarse.
Instead use semanage to label the port (tcp:8891) with one of the available port types (seinfo -axport_type), then use audit2allow, after reproducing the event, to allow bind tcp socket to ports with that type
You can also create a new port type and use that:
cat > mytest.te <<EOF policy_module(mytest, 1.0.0) type myport_t; corenet_port(myport_t)
optional_policy(` gen_require(` type dkim_milter_t; ')
allow dkim_milter_t myport_t:tcp_socket name_bind; ') EOF
make -f /usr/share/selinux/devel/Makefile mytest.pp sudo semodule -i mytest.pp
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Dominick, Thanks a lot I figured there was some gap there that needed bridging in my knowledge, and you kindly pointed me in the right direction.
-Erinn
selinux@lists.fedoraproject.org