| Summary: | SELinux is preventing icecc-scheduler from 'name_bind' accesses on the udp_socket port 8765. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Daniel <code> | ||||
| Component: | icecream | Assignee: | Michal Schmidt <mschmidt> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 24 | CC: | dominick.grift, dwalsh, giles, helio, lvrabec, mgrepl, mschmidt, plautrba, pmoore, ssekidde | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | abrt_hash:f7b4294a2c02fbf852d1d542f3a092e8c1feebb3276171637514d01ceb57f882;VARIANT_ID=workstation; | ||||||
| Fixed In Version: | icecream-1.1-0.5.rc2.ga79f70f.fc24 icecream-1.1-0.5.rc2.ga79f70f.fc25 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2016-11-23 03:53:05 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
The policy for icecream is shipped in the icecream package. Reassigning to myself. I already noticed this avc on my system while working on bug 1389570. icecream-1.1-0.3.rc2.ga79f70f.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-330757967d icecream-1.1-0.3.rc2.ga79f70f.fc24.1 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-39d33df0e3 icecream-1.1-0.3.rc2.ga79f70f.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-330757967d Thanks for pushing the update. This is not resolved for me by installing icecream 1.1-0.3.rc2.ga79f70f.fc25 from testing-updates. after `sudo systemctl start icecc-scheduler` SELinux Troubleshooter says: SELinux is preventing icecc-scheduler from name_bind access on the udp_socket port 8765. I also tried installing selinux-policy 3.13.1-222.fc25, but the exception still occurs. Where you running the updated kernel at the time, Ralph? I also got this on one of three test machines, and that machine hadn’t been rebooted with the updated kernel that introduced the original problem. I did try rebooting. The machine is running kernel 4.8.6-300.fc25.x86_64. icecream-1.1-0.3.rc2.ga79f70f.fc24.1 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-39d33df0e3 Ralph, please attach the output of "semanage port -l" (as root). Created attachment 1219485 [details] semanage port -l on Fedora 25 $ sudo semanage port -l | grep 8765 lirc_port_t tcp 8765 $ sudo semanage port -l | grep ice icecc_scheduler_port_t tcp 8766 iceccd_port_t tcp 10245 Port list from https://github.com/icecc/icecream TCP/10245 on the daemon computers (required) TCP/8765 for the the scheduler computer (required) TCP/8766 for the telnet interface to the scheduler (optional) UDP/8765 for broadcast to find the scheduler (optional) The %post script of the package should have marked UDP port 8765 as icecc_scheduler_port_t. I don't know why it was not successful on your system.
You can see the script in the package:
rpm -q --qf '%{postin}' icecream
The relevant part is this loop:
for selinuxvariant in mls strict targeted; do
{
echo "port -a -S ${selinuxvariant} -t iceccd_port_t -p tcp 10245"
echo "port -a -S ${selinuxvariant} -t icecc_scheduler_port_t -p tcp 8766"
echo "port -a -S ${selinuxvariant} -t icecc_scheduler_port_t -p udp 8765"
# tcp 8765 is taken by LIRC. icecream.te knows it.
# echo "port -a -S ${selinuxvariant} -t icecc_scheduler_port_t -p tcp 8765"
} | semanage -i - 2>/dev/null
done
Try running it manually. Remove the "2>/dev/null" redirection to see possible errors.
Running the `semanage port` command manually resolves the issue. So why isn't the postin script working?
On a different machine I confirmed the bug by installing icecream, trying to start icecc-scheduler, upgrading to the version in testing-updates, trying to start again.
I then did:
$ for selinuxvariant in mls strict targeted; do echo "port -a -S ${selinuxvariant} -t icecc_scheduler_port_t -p udp 8765" | sudo semanage -i -; done
ValueError: Port udp/8765 already defined
ValueError: Port udp/8765 already defined
$ sudo semanage port -l | grep 8765
[sudo] password for giles:
icecc_scheduler_port_t udp 8765
lirc_port_t tcp 8765
Which shows the port added. After that, I was able to start the service.
semanage behaves differently than I expected. When given multiple commands in the input, it quits immediately after encountering an error. When upgrading from a previous version of icecream, port tcp/10245 is already defined, so the command to add udp/8765 is not even reached. I will change the scriptlet to define the ports in separate semanage calls for robustness. icecream-1.1-0.5.rc2.ga79f70f.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-330757967d icecream-1.1-0.5.rc2.ga79f70f.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-39d33df0e3 icecream-1.1-0.5.rc2.ga79f70f.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-39d33df0e3 icecream-1.1-0.5.rc2.ga79f70f.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-330757967d icecream-1.1-0.5.rc2.ga79f70f.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. icecream-1.1-0.5.rc2.ga79f70f.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: 1. firewall-cmd --add-service=icecream-scheduler 2. systemctl start icecream-scheduler SELinux is preventing icecc-scheduler from 'name_bind' accesses on the udp_socket port 8765. ***** Plugin bind_ports (99.5 confidence) suggests ************************ If you want to allow icecc-scheduler to bind to network port 8765 Then you need to modify the port type. Do # semanage port -a -t PORT_TYPE -p udp 8765 where PORT_TYPE is one of the following: icecc_scheduler_port_t, lirc_port_t. ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that icecc-scheduler should be allowed name_bind access on the port 8765 udp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'icecc-scheduler' --raw | audit2allow -M my-iceccscheduler # semodule -X 300 -i my-iceccscheduler.pp Additional Information: Source Context system_u:system_r:icecc_scheduler_t:s0 Target Context system_u:object_r:unreserved_port_t:s0 Target Objects port 8765 [ udp_socket ] Source icecc-scheduler Source Path icecc-scheduler Port 8765 Host (removed) Source RPM Packages Target RPM Packages Policy RPM <Unknown> Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.7.9-200.fc24.x86_64 #1 SMP Thu Oct 20 14:26:16 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-11-04 10:41:37 CET Last Seen 2016-11-04 10:41:37 CET Local ID 286b9768-bfcc-40c9-b001-516de8789a0c Raw Audit Messages type=AVC msg=audit(1478252497.21:6033): avc: denied { name_bind } for pid=28450 comm="icecc-scheduler" src=8765 scontext=system_u:system_r:icecc_scheduler_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0 Hash: icecc-scheduler,icecc_scheduler_t,unreserved_port_t,udp_socket,name_bind Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.7.9-200.fc24.x86_64 type: libreport