search for: name_bind

...n a CentOS 6.3 x86_64 box I have installed postfix and dspam from EPEL. Dspam is configured to listen on port 10026. After having configured dspam and postfix I start dspam and then postfix and I see the following AVC message in audit.log: type=AVC msg=audit(1350920492.936:400): avc: denied { name_bind } for pid=19971 comm="master" src=10026 scontext=unconfined_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:postfix_master_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1350920492.936:400): arch=c000003e syscall=49 success=no exit=-13 a0=5b a1=7f015fa63b30 a2=10 a3=7fff6b2...

...type var_t; type postfix_smtpd_t; type initrc_t; type proc_t; class unix_stream_socket connectto; class file { read getattr }; class sock_file write; class lnk_file { read create unlink getattr }; class udp_socket name_bind; class dir { read search }; } #============= amavis_t ============== allow amavis_t amavis_var_lib_t:lnk_file { read create unlink getattr }; allow amavis_t traceroute_port_t:udp_socket name_bind; #============= clamd_t ============== allow clamd_t proc_t:file { read getattr }; allow cl...

Hello, I was wondering if any one has seen issues with selinux name_bind denials that result from having IP:PORT bindings for services to specific IP addresses managed on an interface under NetworkManager's control? I do realize that people will probably say stop using NetworkManager, and I may, but the behavior is strange, and I'd like to have a better underst...

...#39;ve got going btw? Sounds > related. Post the part of the config for this if you're able. > It's rather caused by a SELinux policy which only allows icecast daemon to listen on TCP/8000 port: # sesearch --allow -s icecast_t -c tcp_socket [...] allow icecast_t port_type:tcp_socket name_bind; [ icecast_use_any_tcp_ports ]:True allow icecast_t port_type:tcp_socket name_connect; [ icecast_use_any_tcp_ports ]:True allow icecast_t port_type:tcp_socket { recv_msg send_msg }; [ icecast_use_any_tcp_ports ]:True allow icecast_t soundd_port_t:tcp_socket { name_bind name_connect recv_msg send_ms...

On 10/16/23 10:37, Michael C Cambria wrote: > > Hi, > > I'm using icecast via Fedora 37 package and systemd service to start. > > I've added multiple <listen-socket> but get: > > "EROR connection/connection_setup_sockets Could not create listener > socket on port xxx" *snip* That error sounds like it could either be an issue relating to which

...e of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted But during the boot i see selinux warnings and some software wan't start correctly: audit(1173699978.909:2): avc: denied { name_bind } for pid=2407 comm="piranha_gui" src=3636 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:port_t tclass=tcp_socket audit(1173699978.943:3): avc: denied { append } for pid=2407 comm="piranha_gui" name="piranha-gui" dev=dm-0 ino=2338608 scontext=user...

On 09/09/2018 07:19 AM, Daniel Walsh wrote: > sesearch -A -s httpd_t -t system_conf_t -p read > > If you feel that these files should not be part of the base_ro_files > then we should open that for discussion. I think the question was how users would know that the policy allowed access, as he was printing rules affecting httpd_t's file read access, and looking for

...}; class unix_stream_socket { getattr accept read write }; class capability { sys_resource sys_ptrace }; class file { entrypoint open create relabelfrom relabelto getattr setattr read write append ioctl lock rename link unlink }; class lnk_file { getattr read }; class udp_socket name_bind; class dir { getattr setattr add_name remove_name search open read write ioctl lock }; } #============= httpd_t ============== allow httpd_t port_t:udp_socket name_bind; allow httpd_t proc_net_t:file { read getattr open }; allow httpd_t bin_t:file entrypoint; allow httpd_t passenger_t:proce...

..._t; type postfix_master_t; type rpcd_t; type dovecot_t; type klogd_t; type udev_t; type clamd_t; type mysqld_port_t; type initrc_var_run_t; type var_t; type postfix_qmgr_t; type postfix_pipe_t; type crond_t; class process ptrace; class unix_stream_socket connectto; class tcp_socket { name_bind name_connect }; class file { rename execute read lock create ioctl execute_no_trans write getattr link unlink }; class sock_file { setattr create write getattr unlink }; class lnk_file { read getattr }; class dir { search setattr read create write getattr remove_name add_name }; } #===========...

At the risk of angering the crash Gods, my sustem has NOT crashed again since I downgraded the kernel from 2.6.18-1.2239.fc5 to 2.6.18-1.2200.fc5. Given that newfound stability, and my lack of time, I'm going to put on hold any further diagnostics, until the next kernel revision is released. I have submitted a report at bugzilla.redhat.com (bug 218128). (Ah, nuts; accidentally created a

...sterd.service [root at chicago-fw1 system]# tail /var/log/messages Jul 7 06:18:28 chicago-fw1 dbus-daemon[508]: dbus[508]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd' Jul 7 06:18:29 chicago-fw1 setroubleshoot: SELinux is preventing /usr/sbin/glusterfsd from name_bind access on the tcp_socket . For complete SELinux messages. run sealert -l 6ef33b0e-94fc-4eba-8a11-f594985ba312 Jul 7 06:18:30 chicago-fw1 systemd[1]: Started GlusterFS an clustered file-system server. Jul 7 06:18:30 chicago-fw1 systemd[1]: Starting GlusterFS an clustered file-system server... Jul...