Ask Your Question

need selinux and saned help

asked 2017-12-20 15:39:47 -0500

toddandmargo gravatar image

Hi All,

I am trying to run

# systemctl start saned.socket

And SELinux is taking a shine to it. The commands that it says to run do not work and the same SELinux error keeps appearing:

SELinux is preventing systemd from listen access on the tcp_socket port None.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd should be allowed listen access on the port None tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# ausearch -c 'systemd' --raw | audit2allow -M my-systemd
# semodule -X 300 -i my-systemd.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:system_r:unconfined_service_t:s0
Target Objects                port None [ tcp_socket ]
Source                        systemd
Source Path                   systemd
Port                          <Unknown>
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-283.18.fc27.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     rn4.xx.local
Platform                      Linux 4.14.7-300.fc27.x86_64
                              #1 SMP Mon Dec 18 16:06:12 UTC 2017 x86_64 x86_64
Alert Count                   5
First Seen                    2017-12-20 13:35:43 PST
Last Seen                     2017-12-20 13:35:46 PST
Local ID                      0e806a1d-c379-4c0e-993b-286c5828ef2b

Raw Audit Messages
type=AVC msg=audit(1513805746.614:968): avc:  denied  { listen } for  pid=1 comm="systemd" lport=6566 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=0

Hash: systemd,init_t,unconfined_service_t,tcp_socket,listen

What am I missing?

Many thanks, -T

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2017-12-20 16:05:39 -0500

scottro gravatar image

Did you try the instructions given in the error message to allow it?

edit flag offensive delete link more


Yes I did. That is what I meant by "the commands that it says to run"

toddandmargo gravatar imagetoddandmargo ( 2017-12-20 17:08:32 -0500 )edit

To be explicit:

ausearch -c 'systemd' --raw | audit2allow -M my-systemd
semodule -X 300 -i my-systemd.pp

You should also report that as an error.

villykruse gravatar imagevillykruse ( 2017-12-21 02:45:38 -0500 )edit

that is the commands I ran.

toddandmargo gravatar imagetoddandmargo ( 2017-12-21 19:02:22 -0500 )edit

I just created

SELinux is preventing systemd from listen access on the tcp socket

toddandmargo gravatar imagetoddandmargo ( 2017-12-21 21:11:59 -0500 )edit

You should expect to run into additional selinux errors. So first you fix the listen issue, then you fix the accept issue, and so on. If you set setenforce Permissive you can catch all the issues in one go.

Eventually, the following operations needs to be allowed.

allow init_t unconfined_service_t:tcp_socket { accept bind create getattr ioctl listen setopt };
villykruse gravatar imagevillykruse ( 2017-12-22 01:53:22 -0500 )edit

Question Tools

1 follower


Asked: 2017-12-20 15:39:47 -0500

Seen: 177 times

Last updated: Dec 20 '17