packages/selinux-policy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
selinux-policy/backport-Allow-winbind-rpcd-make-a-TCP-connection-to-the-ldap.patch
qsw33 703c655d68 merge patch
2023-08-24 11:33:18 +08:00

30 lines
1.7 KiB
Diff
Raw Blame History

From e91d34918bd3e80aefa7236c014a2ad537a74966 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 22 Dec 2022 13:14:35 +0100
Subject: [PATCH] Allow winbind-rpcd make a TCP connection to the ldap port
Addresses the following AVC denial:
type=PROCTITLE msg=audit(12/06/2022 12:58:18.767:2236) : proctitle=/usr/libexec/samba/samba-dcerpcd --libexec-rpcds --ready-signal-fd=35 --np-helper --debuglevel=2
type=SOCKADDR msg=audit(12/06/2022 12:58:18.767:2236) : saddr={ saddr_fam=inet laddr=127.0.0.1 lport=389 }
type=SYSCALL msg=audit(12/06/2022 12:58:18.767:2236) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0xf a1=0x55f673a4ace0 a2=0x10 a3=0x0 items=0 ppid=1 pid=7080 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=samba-dcerpcd exe=/usr/libexec/samba/samba-dcerpcd subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)
type=AVC msg=audit(12/06/2022 12:58:18.767:2236) : avc: denied { name_connect } for pid=7080 comm=samba-dcerpcd dest=389 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket permissive=0
Resolves: rhbz#2152642
---
policy/modules/contrib/samba.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 8746918587..6143ea2622 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1205,6 +1205,7 @@ kernel_read_network_state(winbind_rpcd_t)
corecmd_exec_bin(winbind_rpcd_t)
corenet_tcp_connect_ipp_port(winbind_rpcd_t)
+corenet_tcp_connect_ldap_port(winbind_rpcd_t)
dev_getattr_fs(winbind_rpcd_t)
Reference in New Issue View Git Blame Copy Permalink