commit: 396ba1dae4fa1576c1c9ab3e10a4d3bbae2fe990
Author: Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Tue Mar 7 01:21:54 2023 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar 31 17:11:32 2023 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=396ba1da
glusterfs: allow glusterd to bind to all TCP unreserved ports
Port 32767 seems to be needed by glfs_timer
type=SYSCALL msg=audit(1678151692.991:193): arch=c000003e syscall=49 success=no
exit=-13 a0=7 a1=43bc7241350 a2=10 a3=3968 items=0 ppid=1 pid=2401
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="glfs_timer" exe="/usr/bin/glusterfsd"
subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1678151692.991:193): avc: denied { name_bind } for
pid=2401 comm="glfs_timer" src=32767 scontext=system_u:system_r:glusterd_t:s0
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/services/glusterfs.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/services/glusterfs.te
b/policy/modules/services/glusterfs.te
index d9c77d384..fe80b732a 100644
--- a/policy/modules/services/glusterfs.te
+++ b/policy/modules/services/glusterfs.te
@@ -108,6 +108,7 @@ corenet_tcp_connect_glusterd_port(glusterd_t)
# Too coarse?
corenet_sendrecv_all_server_packets(glusterd_t)
corenet_tcp_bind_all_reserved_ports(glusterd_t)
+corenet_tcp_bind_all_unreserved_ports(glusterd_t)
corenet_udp_bind_all_rpc_ports(glusterd_t)
corenet_udp_bind_ipp_port(glusterd_t)
