SElinux warnings with Samba accessing hi-reserved ports on RHEL7
Issue
The following is logged to the audit log:
type=AVC msg=audit(1477868191.022:45744): avc: denied { name_bind } for pid=60347 comm="smbd" src=739 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1477868191.022:45744): arch=c000003e syscall=49 success=no exit=-13 a0=29 a1=7ffdb81ccdd0 a2=10 a3=58167a9f items=0 ppid=1510 pid=60347 auid=4294967295 uid=48 gid=0 euid=48 suid=0 fsuid=48 egid=48 sgid=0 fsgid=48 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1477868191.043:45745): avc: denied { name_bind } for pid=60347 comm="smbd" src=740 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1477868191.043:45745): arch=c000003e syscall=49 success=no exit=-13 a0=29 a1=7ffdb81ccdd0 a2=10 a3=3d items=0 ppid=1510 pid=60347 auid=4294967295 uid=48 gid=0 euid=48 suid=0 fsuid=48 egid=48 sgid=0 fsgid=48 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1477868193.266:45746): avc: denied { name_bind } for pid=60347 comm="smbd" src=741 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1477868193.266:45746): arch=c000003e syscall=49 success=no exit=-13 a0=2f a1=7ffdb81ccdd0 a2=10 a3=3d items=0 ppid=1510 pid=60347 auid=4294967295 uid=48 gid=0 euid=48 suid=0 fsuid=48 egid=48 sgid=0 fsgid=48 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1477868196.273:45747): avc: denied { name_bind } for pid=60347 comm="smbd" src=742 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket
The following is from an strace log of smbd:
14:00:42 bind(28, {sa_family=AF_INET, sin_port=htons(909), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
14:00:42 setsockopt(28, SOL_IP, IP_RECVERR, [1], 4) = 0
4:00:42 recvfrom(28, "\x20\x12\xec\x72\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 400, MSG_DONTWAIT, {sa_family=AF_INET, sin_port=htons(111), sin_addr=inet_addr("10.68.217.30")}, [16]) = 28
14:00:36 bind(28, {sa_family=AF_INET, sin_port=htons(908), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
14:00:36 setsockopt(28, SOL_IP, IP_RECVERR, [1], 4) = 0
14:00:36 sendto(28, "\x42\xb8\x02\xab\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x86\xa0\x00\x00\x00\x02\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x86\xab\x00\x00\x00\x01\x00\x00\x00\x11\x00\x00\x00\x00", 56, 0, {sa_family=AF_INET, sin_port=htons(111), sin_addr=inet_addr("10.68.217.26")}, 16) = 56
14:00:42 bind(28, {sa_family=AF_INET, sin_port=htons(909), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
14:00:42 setsockopt(28, SOL_IP, IP_RECVERR, [1], 4) = 0
14:00:42 sendto(28, "\x20\x12\xec\x72\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x86\xa0\x00\x00\x00\x02\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x86\xab\x00\x00\x00\x01\x00\x00\x00\x11\x00\x00\x00\x00", 56, 0, {sa_family=AF_INET, sin_port=htons(111), sin_addr=inet_addr("10.68.217.30")}, 16) = 56
14:00:42 poll([{fd=28, events=POLLIN}], 1, 5000) = 1 ([{fd=28, revents=POLLIN}])
14:00:42 recvfrom(28, "\x20\x12\xec\x72\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 400, MSG_DONTWAIT, {sa_family=AF_INET, sin_port=htons(111), sin_addr=inet_addr("10.68.217.30")}, [16]) = 28
14:00:42 close(28) = 0
14:00:42 getegid() = 48
Environment
Red Hat Enterprise Linux 7.2
Samba 4.2.10-7
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.