DescriptionJosep 'Pep' Turro Mauri
2015-03-04 19:38:35 UTC
Description of problem:
Java applications running inside an OpenShift gear can not use IPv6 connectivity. This includes e.g. trying to connect from an app to an external service that is provided via IPv6; or using Jenkins on an IPv6 based OSE deployment.
This is because the JVM tries to determine if the system has IPv6 enabled by reading /proc/net/if_inet6, which has SELinux type proc_net_t. This access is denied by SELinux by design (CVE-2014-3602).
Version-Release number of selected component (if applicable):
OpenShift 2.2.x, java-1.7.0-openjdk-1.7.0.75-2.5.4.0.el6_6
How reproducible:
Always
Steps to Reproduce:
1. Have an OpenShift environment with IPv6 enabled
2. From within a gear, try to run a Java application that connects to an IPv6 based service
Actual results:
Exception in thread "main" java.net.SocketException: Protocol family unavailable
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:339)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:200)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:182)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:579)
...
Expected results:
Ideally it should be possible to use IPv6 from within a gear to access IPv6 services.
Additional info:
It seems that openJDK on Linux uses /proc/net/if_inet6 to decide if the system supports IPv6:
http://hg.openjdk.java.net/jdk7/jdk7/jdk/file/9b8c96f96a0f/src/solaris/native/java/net/net_util_md.c#l308
which fails due to SELinux:
type=AVC msg=audit(1425497336.028:3867): avc: denied { read } for pid=1494 comm="java" name="if_inet6" dev=proc ino=4026532162 scontext=unconfined_u:system_r:openshift_t:s0:c2,c614 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1425497336.028:3867): avc: denied { open } for pid=1494 comm="java" name="if_inet6" dev=proc ino=4026532162 scontext=unconfined_u:system_r:openshift_t:s0:c2,c614 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
Comment 11Brenton Leanhardt
2015-03-23 14:08:26 UTC
*** Bug 1160657 has been marked as a duplicate of this bug. ***