Hi,
i want to ask about some audit messages realted with amavisd.
I get this kind of messages:
Oct 16 16:35:21 hermod kernel: audit(1192545321.959:4): avc: denied { name_bind } for pid=15305 comm="amavisd" src=3551 scontext=system_u:system_r:amavis_t:s0 tcontext=system _u:object_r:apcupsd_port_t:s0 tclass=udp_socket Oct 17 06:41:11 hermod kernel: audit(1192596071.584:5): avc: denied { name_bind } for pid=1135 comm="amavisd" src=5353 scontext=system_u:system_r:amavis_t:s0 tcontext=system_ u:object_r:howl_port_t:s0 tclass=udp_socket Oct 17 14:45:13 hermod kernel: audit(1192625113.850:6): avc: denied { name_bind } for pid=8183 comm="amavisd" src=7004 scontext=system_u:system_r:amavis_t:s0 tcontext=system_ u:object_r:afs_ka_port_t:s0 tclass=udp_socket Oct 17 22:33:30 hermod kernel: audit(1192653210.933:7): avc: denied { name_bind } for pid=20082 comm="amavisd" src=7004 scontext=system_u:system_r:amavis_t:s0 tcontext=system _u:object_r:afs_ka_port_t:s0 tclass=udp_socket Oct 17 23:00:40 hermod kernel: audit(1192654840.481:8): avc: denied { name_bind } for pid=21759 comm="amavisd" src=7007 scontext=system_u:system_r:amavis_t:s0 tcontext=system _u:object_r:afs_bos_port_t:s0 tclass=udp_socket Oct 18 08:59:38 hermod kernel: audit(1192690778.529:9): avc: denied { name_bind } for pid=25286 comm="amavisd" src=5353 scontext=system_u:system_r:amavis_t:s0 tcontext=system _u:object_r:howl_port_t:s0 tclass=udp_socket Oct 18 09:32:09 hermod kernel: audit(1192692729.031:10): avc: denied { name_bind } for pid=28781 comm="amavisd" src=1194 scontext=system_u:system_r:amavis_t:s0 tcontext=syste m_u:object_r:openvpn_port_t:s0 tclass=udp_socket
These are a part of them, i allowed some of these, but there are many of these with different udp ports. What can i do to solve this problem, because amavisd try every time with a different port and i can't allow all of them?
Thank in advanced!
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Ali Nebi wrote:
Hi,
i want to ask about some audit messages realted with amavisd.
I get this kind of messages:
Oct 16 16:35:21 hermod kernel: audit(1192545321.959:4): avc: denied { name_bind } for pid=15305 comm="amavisd" src=3551 scontext=system_u:system_r:amavis_t:s0 tcontext=system _u:object_r:apcupsd_port_t:s0 tclass=udp_socket Oct 17 06:41:11 hermod kernel: audit(1192596071.584:5): avc: denied { name_bind } for pid=1135 comm="amavisd" src=5353 scontext=system_u:system_r:amavis_t:s0 tcontext=system_ u:object_r:howl_port_t:s0 tclass=udp_socket Oct 17 14:45:13 hermod kernel: audit(1192625113.850:6): avc: denied { name_bind } for pid=8183 comm="amavisd" src=7004 scontext=system_u:system_r:amavis_t:s0 tcontext=system_ u:object_r:afs_ka_port_t:s0 tclass=udp_socket Oct 17 22:33:30 hermod kernel: audit(1192653210.933:7): avc: denied { name_bind } for pid=20082 comm="amavisd" src=7004 scontext=system_u:system_r:amavis_t:s0 tcontext=system _u:object_r:afs_ka_port_t:s0 tclass=udp_socket Oct 17 23:00:40 hermod kernel: audit(1192654840.481:8): avc: denied { name_bind } for pid=21759 comm="amavisd" src=7007 scontext=system_u:system_r:amavis_t:s0 tcontext=system _u:object_r:afs_bos_port_t:s0 tclass=udp_socket Oct 18 08:59:38 hermod kernel: audit(1192690778.529:9): avc: denied { name_bind } for pid=25286 comm="amavisd" src=5353 scontext=system_u:system_r:amavis_t:s0 tcontext=system _u:object_r:howl_port_t:s0 tclass=udp_socket Oct 18 09:32:09 hermod kernel: audit(1192692729.031:10): avc: denied { name_bind } for pid=28781 comm="amavisd" src=1194 scontext=system_u:system_r:amavis_t:s0 tcontext=syste m_u:object_r:openvpn_port_t:s0 tclass=udp_socket
These are a part of them, i allowed some of these, but there are many of these with different udp ports. What can i do to solve this problem, because amavisd try every time with a different port and i can't allow all of them?
Thank in advanced!
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
amavis_t is binding to random ports > 1024 occasionaly it is hitting a named port and getting a denial. At that point it goes off and gets another port. When it gets a port that is not defined, it succeeds. The policy needs a dontaudit rule to remove these avcs.
So the combination in policy is necessary.
corenet_udp_bind_generic_port(amavis_t) corenet_dontaudit_udp_bind_all_ports(amavis_t)
This basically says amavis_t can bind to any udp port labeled port_t and it it attempts to bind to a port that is labeled anything other then port_t, dontaudit. This is will be fixed in selinux-policy-3.0.8.28
selinux@lists.fedoraproject.org