Problem with selinux

[Kerry Thompson]

Lars Hecking wrote:
>  While we're on the issue of random ports, has anyone thought of how to
>  configure selinux for the new port-randomising bind versions?
>
>  Previous bind versions were easy to administer in this regard, without
>  in-depth knowledge of selinux: run audit2allow on /var/log/messages,
>  create and deploy named policy. Maybe repeat once or twice until all
>  operations performed by named have been caught.
>
>  This can no longer be done. Either one needs to know you to create
>  selinux policies manually, or turn it off altogether. That's less
>  security, not more.
>
>  I would be particularily interested in comments from RedHat people :)
>
>
>
>   
Hi Lars

Redhat included a patch to the named policy in their batch for BIND, see 
http://lwn.net/Articles/289264/ (& search for selinux). Sometimes 
audit2allow just doesn't give you what you really want :-). It seems 
what they've done is to permit the name_bind domain to bind() to any udp 
source socket, from the patch:

--- policy-1.17.30/domains/program/unused/named.te~     2008-07-01 
11:24:40.000000000 -0400
+++ policy-1.17.30/domains/program/unused/named.te      2008-07-01 
11:24:13.000000000 -0400
@@ -69,7 +69,7 @@ can_tcp_connect(domain, named_t)
 log_domain(named)

 # Bind to the named port.
-allow named_t dns_port_t:udp_socket name_bind;
+allow named_t port_type:udp_socket name_bind;
 allow named_t { dns_port_t rndc_port_t }:tcp_socket name_bind;

 bool named_write_master_zones false;

So if you have policy sources then replacing that one line will fix it 
up. Otherwise you could just add the port_type:udp_socket line to a 
local policy file and load it.
I'm no Redhat person, the Redhat SELinux mailing list might be a better 
place if you want a more in-depth answer.

Kerry