Bug 1321787

Summary: SELinux prevents prosody from name_bind to TCP port 5582
Product: Red Hat Enterprise Linux 7 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-81.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 02:46:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milos Malik 2016-03-29 07:27:21 UTC 
Description of problem:
 * SELinux denials appear when following line in /etc/prosody/prosody.cfg.lua is commented out:
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582

Version-Release number of selected component (if applicable):
prosody-0.9.10-1.el7.x86_64
selinux-policy-3.13.1-67.el7.noarch
selinux-policy-devel-3.13.1-67.el7.noarch
selinux-policy-doc-3.13.1-67.el7.noarch
selinux-policy-minimum-3.13.1-67.el7.noarch
selinux-policy-mls-3.13.1-67.el7.noarch
selinux-policy-sandbox-3.13.1-67.el7.noarch
selinux-policy-targeted-3.13.1-67.el7.noarch

How reproducible:
always

Steps to Reproduce:
# grep admin_telnet /etc/prosody/prosody.cfg.lua 
		"admin_telnet"; -- Opens telnet console interface on localhost port 5582
# setsebool -P nis_enabled off
# service prosody start

Actual results (enforcing mode):
----
type=SOCKADDR msg=audit(03/29/2016 09:16:56.516:196) : saddr=inet host:127.0.0.1 serv:5582 
type=SYSCALL msg=audit(03/29/2016 09:16:56.516:196) : arch=x86_64 syscall=bind success=no exit=-13(Permission denied) a0=0x7 a1=0x24f8380 a2=0x10 a3=0x5 items=0 ppid=25592 pid=25593 auid=unset uid=prosody gid=prosody euid=prosody suid=prosody fsuid=prosody egid=prosody sgid=prosody fsgid=prosody tty=(none) ses=unset comm=lua exe=/usr/bin/lua subj=system_u:system_r:prosody_t:s0 key=(null) 
type=AVC msg=audit(03/29/2016 09:16:56.516:196) : avc:  denied  { name_bind } for  pid=25593 comm=lua src=5582 scontext=system_u:system_r:prosody_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket 
----
type=SOCKADDR msg=audit(03/29/2016 09:16:56.521:197) : saddr=inet6 host:::1 serv:5582 
type=SYSCALL msg=audit(03/29/2016 09:16:56.521:197) : arch=x86_64 syscall=bind success=no exit=-13(Permission denied) a0=0x7 a1=0x24faa40 a2=0x1c a3=0x6 items=0 ppid=25592 pid=25593 auid=unset uid=prosody gid=prosody euid=prosody suid=prosody fsuid=prosody egid=prosody sgid=prosody fsgid=prosody tty=(none) ses=unset comm=lua exe=/usr/bin/lua subj=system_u:system_r:prosody_t:s0 key=(null) 
type=AVC msg=audit(03/29/2016 09:16:56.521:197) : avc:  denied  { name_bind } for  pid=25593 comm=lua src=5582 scontext=system_u:system_r:prosody_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket 
----

Expected results:
 * no AVCs
Comment 1 Milos Malik 2016-03-29 08:19:02 UTC 
Following AVC appeared after switching the prosody_t domain to permissive:
----
type=SOCKADDR msg=audit(03/29/2016 10:17:27.831:517) : saddr=inet host:127.0.0.1 serv:5582 
type=SYSCALL msg=audit(03/29/2016 10:17:27.831:517) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x7 a1=0x23fdc20 a2=0x10 a3=0x5 items=0 ppid=1678 pid=1681 auid=unset uid=prosody gid=prosody euid=prosody suid=prosody fsuid=prosody egid=prosody sgid=prosody fsgid=prosody tty=(none) ses=unset comm=lua exe=/usr/bin/lua subj=system_u:system_r:prosody_t:s0 key=(null) 
type=AVC msg=audit(03/29/2016 10:17:27.831:517) : avc:  denied  { name_bind } for  pid=1681 comm=lua src=5582 scontext=system_u:system_r:prosody_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket 
----
Comment 7 errata-xmlrpc 2016-11-04 02:46:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html