Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 391909

Summary: sec-policy/selinux-inetd needs to be allowed to bind to pop/imap ports
Product: Gentoo Linux Reporter: Stan Sander <stsander>
Component: HardenedAssignee: Sven Vermeulen (RETIRED) <swift>
Status: VERIFIED FIXED    
Severity: normal CC: selinux
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: Patch to allow binding to pop_port_t

Description Stan Sander 2011-11-25 23:28:31 UTC 
The current inetd policy does not allow xinetd to bind to pop_port_t.  This is needed if you run a pop or imap server out of xinetd.  

Nov 19 19:16:22 siren xinetd[3434]: bind failed (Permission denied (errno = 13)). service = imaps
Nov 19 19:16:22 siren xinetd[3434]: Service imaps failed to start and is deactivated.
Nov 19 19:16:22 siren xinetd[3434]: xinetd Version 2.3.14 started with loadavg options compiled in.
Nov 19 19:16:22 siren kernel: type=1400 audit(1321755382.057:233): avc:  denied  { name_bind } for  pid=3434 comm="xinetd" src=993 scontext=system_u:system_r:inetd_t tcontext=system_u:object_r:pop_port_t tclass=tcp_socket
Comment 1 Stan Sander 2011-11-25 23:29:23 UTC 
Created attachment 293777 [details, diff]
Patch to allow binding to pop_port_t
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2011-11-27 18:37:15 UTC 
Thanks
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2011-11-27 18:54:49 UTC 
Should be in hardened-dev overlay.
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2011-12-05 21:16:29 UTC 
In portage tree, ~arch
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2012-01-29 11:25:29 UTC 
Stabilized