Missing ( items? in) a miniupnpd policy? Reproducible: Always Actual Results: avc: denied { getopt } for pid=7658 comm="miniupnpd" lport=255 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=rawip_socket avc: denied { create } for pid=7658 comm="miniupnpd" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=rawip_socket avc: denied { getopt } for pid=7658 comm="miniupnpd" lport=255 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=rawip_socket avc: denied { create } for pid=7658 comm="miniupnpd" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=rawip_socket avc: denied { getopt } for pid=7658 comm="miniupnpd" lport=255 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=rawip_socket avc: denied { create } for pid=7658 comm="miniupnpd" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=rawip_socket avc: denied { getopt } for pid=7658 comm="miniupnpd" lport=255 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=rawip_socket fi appearantly the miniupnpd is missing in the selinux set.. Proposed fix: ---8<--- module miniupnpd 1.0; require { type initrc_t; class rawip_socket { getopt create }; } #============= initrc_t ============== allow initrc_t self:rawip_socket { getopt create };
With a restart of miniupnpd involved: Some extra messages: avc: denied { getopt } for pid=7658 comm="miniupnpd" lport=255 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=rawip_socket avc: denied { name_bind } for pid=7765 comm="miniupnpd" src=81 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket avc: denied { name_bind } for pid=8070 comm="miniupnpd" src=81 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket avc: denied { read write } for pid=8393 comm="miniupnpd" name="tty0" dev=tmpfs ino=2195 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:tty_device_t tclass=chr_file avc: denied { name_bind } for pid=8441 comm="miniupnpd" src=81 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket avc: denied { read write } for pid=8478 comm="miniupnpd" name="tty0" dev=tmpfs ino=2195 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:tty_device_t tclass=chr_file avc: denied { read write } for pid=8537 comm="miniupnpd" name="tty0" dev=tmpfs ino=2195 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:tty_device_t tclass=chr_file avc: denied { name_bind } for pid=8564 comm="miniupnpd" src=81 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket avc: denied { name_bind } for pid=9177 comm="miniupnpd" src=81 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket avc: denied { module_request } for pid=9177 comm="miniupnpd" kmod="netdev-ppp0" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:kernel_t tclass=system module miniupnpd 1.0; require { type kernel_t; type tty_device_t; type reserved_port_t; type initrc_t; type run_init_t; class tcp_socket name_bind; class system module_request; class chr_file { read write }; class rawip_socket { getopt create }; } ============= initrc_t ============== allow initrc_t kernel_t:system module_request; allow initrc_t reserved_port_t:tcp_socket name_bind; allow initrc_t self:rawip_socket { getopt create }; #============= run_init_t ============== allow run_init_t tty_device_t:chr_file { read write };
There is no policy for miniupnpd yet, so that one still needs to be created. Anyone up for this?
I stopped using selinux, because it caused my system to more & more misbehave. (amongst others vixie-cron) where all solutions i could find didn't help. or broke it further. [ even in permissive mode, which is clearly NOT honorred in dbus & vixie-cron ] Not using permissive mode fails ppp, dibbler, openswan and a lot more ==> no more selinux atm. it causes much more harm than it potentialy solve.
Although the question is then still valid, unless someone else steps up, I consider this to be obsolete then. Don't hesitate to reopen if you want to try out SELinux again (and who knows by then, upstream has support for miniupnpd too?)