Klaus Weidner wrote:
On Mon, Dec 18, 2006 at 06:52:47PM -0600, Loulwa Salem wrote:
Hi,
I am writing a testcase that uses netcat (nc) as part of my cipso testing.
I ran into a slight problem when in Enforcing mode.
user_r, sysadm_r, or secadm_r can't execute nc ... below are the AVC
records I was seeing and the policy I used to fix it.
type=AVC msg=audit(1166479344.923:3782): avc: denied { name_bind } for
pid=31873 comm="nc" src=3333
scontext=root:secadm_r:secadm_t:s0-s15:c0.c1023
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
More precisely, users can execute nc, but don't have permission to
actually use TCP ports. This breaks all networking by user apps that
don't have specific policy. This needs to be fixed...
-Klaus
Written up in policy we have
# Allow users to run TCP servers (bind to ports and accept connection from
# the same domain and outside users) disabling this forces FTP
passive mode
# and may change other protocols
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_all_nodes($1_t)
corenet_tcp_bind_generic_port($1_t)
')
So setting this boolean should fix the problem.
setsebool -P user_tcp_server=1
Do we want this set as default for MLS?
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
