Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 541804

Summary: rtorrent requires name_bind privilege on unreserved ports
Product: Gentoo Linux Reporter: Sven Vermeulen (RETIRED) <swift>
Component: SELinuxAssignee: Sven Vermeulen (RETIRED) <swift>
Status: RESOLVED FIXED    
Severity: normal CC: selinux
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: sec-policy r4
Package list:
Runtime testing required: ---

Description Sven Vermeulen (RETIRED) gentoo-dev 2015-03-01 14:37:51 UTC 
$ rtorrent https://tails.boum.org/torrents/files/tails-i386-1.3.torrent
rtorrent: Could not open/bind port for listening: Permission denied

# ausearch -ts recent | head
----
time->Sun Mar  1 15:32:32 2015
type=UNKNOWN[1327] msg=audit(1425220352.926:316): proctitle=72746F7272656E740068747470733A2F2F7461696C732E626F756D2E6F72672F746F7272656E74732F66696C65732F7461696C732D693338362D312E332E746F7272656E74
type=SOCKADDR msg=audit(1425220352.926:316): saddr=02001B0E000000000000000000000000
type=SYSCALL msg=audit(1425220352.926:316): arch=c000003e syscall=49 success=no exit=-13 a0=6 a1=3c74b208e30 a2=10 a3=3c74b208dd4 items=0 ppid=16115 pid=16290 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=1 comm="rtorrent" exe="/usr/bin/rtorrent" subj=staff_u:sysadm_r:rtorrent_t:s0 key=(null)
type=AVC msg=audit(1425220352.926:316): avc:  denied  { name_bind } for  pid=16290 comm="rtorrent" src=6926 scontext=staff_u:sysadm_r:rtorrent_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0


Granting "corenet_tcp_bind_all_unreserved_ports(rtorrent_t)" fixes this.
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2015-03-01 14:46:41 UTC 
rtorrent seems to start from port 6926 and then iterates until 6999, then jumps to 6881 and goes on until 6926 again.
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2015-03-04 15:35:52 UTC 
I've added TCP:6926 as an rtorrent_port_t so that we don't need to grant "all unreserved ports" usage to the application, yet still support the application as it is out-of-the-box.

In repo, will be part of rev 4
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2015-03-22 13:50:26 UTC 
Now in repo, ~arch
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2015-04-16 19:18:55 UTC 
r4 is stable