Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 119989 - can't bind to X11 TCP port
Summary: can't bind to X11 TCP port
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: vnc
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tim Waugh
QA Contact: David Lawrence
URL:
Whiteboard:
Depends On:
Blocks: FC2Target
TreeView+ depends on / blocked
 
Reported: 2004-04-04 18:56 UTC by Tim Waugh
Modified: 2007-11-30 22:10 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2004-04-14 16:07:13 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Tim Waugh 2004-04-04 18:56:55 UTC 
Description of problem:
I can't start 'vncserver' as a user_r user.  The same issue affects Xnest.

Version-Release number of selected component (if applicable):
policy-1.9.2-10

How reproducible:
100%

Steps to Reproduce:
1. Log in as a user_r user.
2. Try to run 'vncserver', 'Xvnc :5', or 'Xnest :5'
  
Actual results:
Fails.  For Xnest and Xvnc the server is started but since it doesn't
have a listener socket no X applications can be displayed on it.

Expected results:
Should work.

For vncserver:
audit(1081105249.567:0): avc:  denied  { name_bind } for  pid=2810
exe=/usr/bin/perl src=6005 scontext=tim:user_r:user_t
tcontext=system_u:object_r:xserver_port_t tclass=tcp_socket

For Xvnc:
audit(1081105310.203:0): avc:  denied  { name_bind } for  pid=2818
exe=/usr/bin/Xvnc src=6005 scontext=tim:user_r:user_t
tcontext=system_u:object_r:xserver_port_t tclass=tcp_socket

For Xnest:
audit(1081105195.526:0): avc:  denied  { name_bind } for  pid=2806
exe=/usr/X11R6/bin/Xnest src=6005 scontext=tim:user_r:user_t
tcontext=system_u:object_r:xserver_port_t tclass=tcp_socket
Comment 1 Daniel Walsh 2004-04-06 17:36:40 UTC 
Could you try this with setenforce 0 and see what errors are produced?

Dan
Comment 2 Tim Waugh 2004-04-06 17:45:08 UTC 
Xnest/Xvnc: There are no more messages with setenforce 0, just that one.
Comment 3 Daniel Walsh 2004-04-06 17:59:32 UTC 
Could you add
ifdef(`xserver.te', `
allow $1_t xserver_port_t:tcp_socket { name_bind };
')

to macros/user_macros.te and see if you can get these tools to work in 
enforcing mode?
Comment 4 Tim Waugh 2004-04-06 18:22:55 UTC 
Excellent, all work fine!  Thanks!
Note You need to log in before you can comment on or make changes to this bug.