When booting in enforcing mode with the latest strict policy(selinux-policy-strict-sources-1.14.1-5) the following avc denied message is produced.
Jul 10 03:12:02 new2 network: Bringing up interface eth0: succeeded Jul 10 03:12:04 new2 kernel: audit(1089443524.677:0): avc: denied { name_bind } for pid=2016 exe=/usr/bin/mDNSResponder scontext=user_u:user_r:user_t tcontext=system_u:object_r:dns_port_t tclass=udp_socket
HTH Richard Hally
On Sat, 10 Jul 2004 17:23, Richard Hally rhallyx@mindspring.com wrote:
When booting in enforcing mode with the latest strict policy(selinux-policy-strict-sources-1.14.1-5) the following avc denied message is produced.
Jul 10 03:12:02 new2 network: Bringing up interface eth0: succeeded Jul 10 03:12:04 new2 kernel: audit(1089443524.677:0): avc: denied { name_bind } for pid=2016 exe=/usr/bin/mDNSResponder scontext=user_u:user_r:user_t tcontext=system_u:object_r:dns_port_t tclass=udp_socket
What is this /usr/bin/mDNSResponder and where do I find an RPM for it?
Binding to port 53 is an operation for a daemon, why is it happening in user_r:user_t?
Once upon a time Sunday 11 July 2004 1:40 am, Russell Coker wrote:
On Sat, 10 Jul 2004 17:23, Richard Hally rhallyx@mindspring.com wrote:
When booting in enforcing mode with the latest strict policy(selinux-policy-strict-sources-1.14.1-5) the following avc denied message is produced.
Jul 10 03:12:02 new2 network: Bringing up interface eth0: succeeded Jul 10 03:12:04 new2 kernel: audit(1089443524.677:0): avc: denied { name_bind } for pid=2016 exe=/usr/bin/mDNSResponder scontext=user_u:user_r:user_t tcontext=system_u:object_r:dns_port_t tclass=udp_socket
What is this /usr/bin/mDNSResponder and where do I find an RPM for it?
Binding to port 53 is an operation for a daemon, why is it happening in user_r:user_t?
mDNS is a bind replacement and it was probably built and installed from source is my guess. Fedora does not ship it
Dennis
On Sun, Jul 11, 2004 at 01:54:56AM -0500, Dennis Gilmore wrote:
Once upon a time Sunday 11 July 2004 1:40 am, Russell Coker wrote:
What is this /usr/bin/mDNSResponder and where do I find an RPM for it?
Binding to port 53 is an operation for a daemon, why is it happening in user_r:user_t?
mDNS is a bind replacement and it was probably built and installed from source is my guess. Fedora does not ship it
It's not a bind replacement it's a multicast dns implementation, related to zeroconf:
Basically that plus link level configuration, plus service discovery == Rendezvous.
Paul
Russell Coker wrote:
On Sat, 10 Jul 2004 17:23, Richard Hally rhallyx@mindspring.com wrote:
When booting in enforcing mode with the latest strict policy(selinux-policy-strict-sources-1.14.1-5) the following avc denied message is produced.
Jul 10 03:12:02 new2 network: Bringing up interface eth0: succeeded Jul 10 03:12:04 new2 kernel: audit(1089443524.677:0): avc: denied { name_bind } for pid=2016 exe=/usr/bin/mDNSResponder scontext=user_u:user_r:user_t tcontext=system_u:object_r:dns_port_t tclass=udp_socket
What is this /usr/bin/mDNSResponder and where do I find an RPM for it?
howl-0.9.5-4 was added to /development within the last two weeks.
Binding to port 53 is an operation for a daemon, why is it happening in user_r:user_t?
It probably does not have any policy written for it yet! Richard Hally
On Sat, 2004-07-10 at 03:23, Richard Hally wrote:
When booting in enforcing mode with the latest strict policy(selinux-policy-strict-sources-1.14.1-5) the following avc denied message is produced.
Jul 10 03:12:02 new2 network: Bringing up interface eth0: succeeded Jul 10 03:12:04 new2 kernel: audit(1089443524.677:0): avc: denied { name_bind } for pid=2016 exe=/usr/bin/mDNSResponder scontext=user_u:user_r:user_t tcontext=system_u:object_r:dns_port_t tclass=udp_socket
The fact that it is running in user_u likely means that it is being started via su (to run in some pseudo user identity), and since that pseudo user identity does not exist in the policy, it is being remapped to user_u.
On Mon, 2004-07-12 at 08:53, Stephen Smalley wrote:
The fact that it is running in user_u likely means that it is being started via su (to run in some pseudo user identity), and since that pseudo user identity does not exist in the policy, it is being remapped to user_u.
I confirmed this; /etc/init.d/mDNSResponder does a su -s /bin/bash - nobody -c mDNSResponder to start the daemon. As "nobody" doesn't exist as a user identity in the SELinux policy, su ends up falling back to user_u as the default. Hence, to start with, you would want to replace the use of su with a wrapper program to set the uid/gid without performing a domain transition, and you would still need to define a domain for mDNSResponder.
Richard Hally wrote:
When booting in enforcing mode with the latest strict policy(selinux-policy-strict-sources-1.14.1-5) the following avc denied message is produced.
Jul 10 03:12:02 new2 network: Bringing up interface eth0: succeeded Jul 10 03:12:04 new2 kernel: audit(1089443524.677:0): avc: denied { name_bind } for pid=2016 exe=/usr/bin/mDNSResponder scontext=user_u:user_r:user_t tcontext=system_u:object_r:dns_port_t tclass=udp_socket
mDNSResponder is not something we ship, (I think). So you need to write special policy for it or allow user_t to bind to the dns_port.
HTH Richard Hally -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Mon, Jul 12, 2004 at 01:16:16PM -0400, Daniel J Walsh wrote:
Richard Hally wrote:
When booting in enforcing mode with the latest strict policy(selinux-policy-strict-sources-1.14.1-5) the following avc denied message is produced.
Jul 10 03:12:02 new2 network: Bringing up interface eth0: succeeded Jul 10 03:12:04 new2 kernel: audit(1089443524.677:0): avc: denied { name_bind } for pid=2016 exe=/usr/bin/mDNSResponder scontext=user_u:user_r:user_t tcontext=system_u:object_r:dns_port_t tclass=udp_socket
mDNSResponder is not something we ship, (I think). So you need to write special policy for it or allow user_t to bind to the dns_port.
As someone else mentioned, it is being shipped in the latest Rawhide. Package is howl-0.9.5-4: Howl is a cross-platform port of Apple's "Rendezvous" (multicast DNS) service discovery and IP autoconfiguration.
gary
selinux@lists.fedoraproject.org