Bug 1459941

Summary: Binding and connecting to a DCCP socket raises SELinux denials
Product: Red Hat Enterprise Linux 7 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.4CC: fabian.deutsch, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-175.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 704573 Environment:
Last Closed: 2018-04-10 12:32:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milos Malik 2017-06-08 15:56:01 UTC 
+++ This bug was initially created as a clone of Bug #704573 +++

Description of problem:
* dccp_socket class is defined in selinux-policy, but not even unconfined_t is allowed to use DCCP sockets

Version-Release number of selected component (if applicable):
RHEL-7.4
gstreamer-0.10.36-7.el7.x86_64
gstreamer1-1.10.4-2.el7.x86_64
gstreamer1-plugins-bad-free-1.10.4-2.el7.x86_64
gstreamer1-plugins-base-1.10.4-1.el7.x86_64
gstreamer1-plugins-good-1.10.4-2.el7.x86_64
gstreamer-plugins-bad-free-0.10.23-23.el7.x86_64
gstreamer-plugins-base-0.10.36-10.el7.x86_64
gstreamer-plugins-good-0.10.31-13.el7.x86_64
gstreamer-tools-0.10.36-7.el7.x86_64
phonon-backend-gstreamer-4.6.3-3.el7.x86_64
python-pulp-streamer-2.12.2-1.el7sat.noarch
selinux-policy-3.13.1-160.el7.noarch
selinux-policy-devel-3.13.1-160.el7.noarch
selinux-policy-doc-3.13.1-160.el7.noarch
selinux-policy-minimum-3.13.1-160.el7.noarch
selinux-policy-mls-3.13.1-160.el7.noarch
selinux-policy-sandbox-3.13.1-160.el7.noarch
selinux-policy-targeted-3.13.1-160.el7.noarch

Steps to Reproduce:
$ gst-launch videotestsrc ! theoraenc ! dccpserversink
Setting pipeline to PAUSED ...
ERROR: Pipeline doesn't want to pause.
ERROR: from element /GstPipeline:pipeline0/GstDCCPServerSink:dccpserversink0: Could not open resource for reading.
Additional debug info:
gstdccp.c(172): gst_dccp_create_new_socket (): /GstPipeline:pipeline0/GstDCCPServerSink:dccpserversink0:
system error: Permission denied
Setting pipeline to NULL ...
Freeing pipeline ...

$ gst-launch dccpclientsrc ! theoradec ! autovideosink
Setting pipeline to PAUSED ...
ERROR: Pipeline doesn't want to pause.
ERROR: from element /GstPipeline:pipeline0/GstDCCPClientSrc:dccpclientsrc0: Could not open resource for reading.
Additional debug info:
gstdccp.c(172): gst_dccp_create_new_socket (): /GstPipeline:pipeline0/GstDCCPClientSrc:dccpclientsrc0:
system error: Permission denied
Setting pipeline to NULL ...
Freeing pipeline ...

$
  
Actual results (enforcing mode):
----
type=SYSCALL msg=audit(06/08/2017 17:35:40.578:238) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=inet a1=SOCK_DCCP a2=dccp a3=0x0 items=0 ppid=2615 pid=3166 auid=unconfined-user uid=unconfined-user gid=unconfined-user euid=unconfined-user suid=unconfined-user fsuid=unconfined-user egid=unconfined-user sgid=unconfined-user fsgid=unconfined-user tty=pts0 ses=1 comm=gst-launch-0.10 exe=/usr/bin/gst-launch-0.10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/08/2017 17:35:40.578:238) : avc:  denied  { create } for  pid=3166 comm=gst-launch-0.10 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket 
----

Expected results:
* no SELinux denials
Comment 1 Milos Malik 2017-06-08 16:02:33 UTC 
Actual results (permissive mode):
----
type=SYSCALL msg=audit(06/08/2017 17:59:54.884:355) : arch=x86_64 syscall=listen success=yes exit=0 a0=0x3 a1=0x5 a2=0x0 a3=0x7ffeffc8625c items=0 ppid=2615 pid=5345 auid=unconfined-user uid=unconfined-user gid=unconfined-user euid=unconfined-user suid=unconfined-user fsuid=unconfined-user egid=unconfined-user sgid=unconfined-user fsgid=unconfined-user tty=pts0 ses=1 comm=gst-launch-0.10 exe=/usr/bin/gst-launch-0.10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/08/2017 17:59:54.884:355) : avc:  denied  { listen } for  pid=5345 comm=gst-launch-0.10 lport=5001 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket 
----
type=AVC msg=audit(06/08/2017 17:59:54.884:356) : avc:  denied  { accept } for  pid=5345 comm=gst-launch-0.10 lport=5001 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket 
----
type=SOCKADDR msg=audit(06/08/2017 17:59:54.879:354) : saddr={ fam=inet laddr=0.0.0.0 lport=5001 } 
type=SYSCALL msg=audit(06/08/2017 17:59:54.879:354) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x3 a1=0x7ffeffc86260 a2=0x10 a3=0x7ffeffc86274 items=0 ppid=2615 pid=5345 auid=unconfined-user uid=unconfined-user gid=unconfined-user euid=unconfined-user suid=unconfined-user fsuid=unconfined-user egid=unconfined-user sgid=unconfined-user fsgid=unconfined-user tty=pts0 ses=1 comm=gst-launch-0.10 exe=/usr/bin/gst-launch-0.10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/08/2017 17:59:54.879:354) : avc:  denied  { bind } for  pid=5345 comm=gst-launch-0.10 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket 
----
type=SYSCALL msg=audit(06/08/2017 18:00:13.016:373) : arch=x86_64 syscall=socket success=yes exit=5 a0=inet a1=SOCK_DCCP a2=dccp a3=0x0 items=0 ppid=5360 pid=5468 auid=unconfined-user uid=unconfined-user gid=unconfined-user euid=unconfined-user suid=unconfined-user fsuid=unconfined-user egid=unconfined-user sgid=unconfined-user fsgid=unconfined-user tty=pts2 ses=1 comm=gst-launch-0.10 exe=/usr/bin/gst-launch-0.10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/08/2017 18:00:13.016:373) : avc:  denied  { create } for  pid=5468 comm=gst-launch-0.10 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket 
----
type=SYSCALL msg=audit(06/08/2017 18:00:13.022:374) : arch=x86_64 syscall=getsockopt success=yes exit=0 a0=0x5 a1=SOL_DCCP a2=0xc a3=0x7ffcae0e2420 items=0 ppid=5360 pid=5468 auid=unconfined-user uid=unconfined-user gid=unconfined-user euid=unconfined-user suid=unconfined-user fsuid=unconfined-user egid=unconfined-user sgid=unconfined-user fsgid=unconfined-user tty=pts2 ses=1 comm=gst-launch-0.10 exe=/usr/bin/gst-launch-0.10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/08/2017 18:00:13.022:374) : avc:  denied  { getopt } for  pid=5468 comm=gst-launch-0.10 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket 
----
type=SYSCALL msg=audit(06/08/2017 18:00:13.026:375) : arch=x86_64 syscall=setsockopt success=yes exit=0 a0=0x5 a1=SOL_DCCP a2=0xd a3=0x7ffcae0e240c items=0 ppid=5360 pid=5468 auid=unconfined-user uid=unconfined-user gid=unconfined-user euid=unconfined-user suid=unconfined-user fsuid=unconfined-user egid=unconfined-user sgid=unconfined-user fsgid=unconfined-user tty=pts2 ses=1 comm=gst-launch-0.10 exe=/usr/bin/gst-launch-0.10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/08/2017 18:00:13.026:375) : avc:  denied  { setopt } for  pid=5468 comm=gst-launch-0.10 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket 
----
type=SOCKADDR msg=audit(06/08/2017 18:00:13.026:376) : saddr={ fam=inet laddr=127.0.0.1 lport=5001 } 
type=SYSCALL msg=audit(06/08/2017 18:00:13.026:376) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x5 a1=0x7ffcae0e2410 a2=0x10 a3=0x7ffcae0e240c items=0 ppid=5360 pid=5468 auid=unconfined-user uid=unconfined-user gid=unconfined-user euid=unconfined-user suid=unconfined-user fsuid=unconfined-user egid=unconfined-user sgid=unconfined-user fsgid=unconfined-user tty=pts2 ses=1 comm=gst-launch-0.10 exe=/usr/bin/gst-launch-0.10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/08/2017 18:00:13.026:376) : avc:  denied  { connect } for  pid=5468 comm=gst-launch-0.10 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket 
----
type=SYSCALL msg=audit(06/08/2017 18:00:13.035:378) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0x5 a1=TIOCINQ a2=0x7fbb05bd3afc a3=0x0 items=0 ppid=5360 pid=5468 auid=unconfined-user uid=unconfined-user gid=unconfined-user euid=unconfined-user suid=unconfined-user fsuid=unconfined-user egid=unconfined-user sgid=unconfined-user fsgid=unconfined-user tty=pts2 ses=1 comm=dccpclientsrc0: exe=/usr/bin/gst-launch-0.10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/08/2017 18:00:13.035:378) : avc:  denied  { getattr } for  pid=5468 comm=dccpclientsrc0: path=socket:[69680] dev="sockfs" ino=69680 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket 
----
type=SYSCALL msg=audit(06/08/2017 18:00:13.035:377) : arch=x86_64 syscall=sendmsg success=yes exit=2613 a0=0x4 a1=0x7f54f3ffee90 a2=0x0 a3=0x7f54f3fff9d0 items=0 ppid=2615 pid=5345 auid=unconfined-user uid=unconfined-user gid=unconfined-user euid=unconfined-user suid=unconfined-user fsuid=unconfined-user egid=unconfined-user sgid=unconfined-user fsgid=unconfined-user tty=pts0 ses=1 comm=videotestsrc0:s exe=/usr/bin/gst-launch-0.10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/08/2017 18:00:13.035:377) : avc:  denied  { write } for  pid=5345 comm=videotestsrc0:s laddr=127.0.0.1 lport=5001 faddr=127.0.0.1 fport=58168 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket 
----
type=SYSCALL msg=audit(06/08/2017 18:00:13.035:379) : arch=x86_64 syscall=recvmsg success=yes exit=2613 a0=0x5 a1=0x7fbb05bd3b10 a2=0x0 a3=0x59 items=0 ppid=5360 pid=5468 auid=unconfined-user uid=unconfined-user gid=unconfined-user euid=unconfined-user suid=unconfined-user fsuid=unconfined-user egid=unconfined-user sgid=unconfined-user fsgid=unconfined-user tty=pts2 ses=1 comm=dccpclientsrc0: exe=/usr/bin/gst-launch-0.10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/08/2017 18:00:13.035:379) : avc:  denied  { read } for  pid=5468 comm=dccpclientsrc0: laddr=127.0.0.1 lport=58168 faddr=127.0.0.1 fport=5001 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket 
----
Comment 2 Milos Malik 2017-06-12 07:34:01 UTC 
# cat example.c
#include <sys/types.h>
#include <sys/socket.h>
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <netinet/in.h>

void main (void) {
  int sockfd;

  if ((sockfd = socket(AF_INET, SOCK_DCCP, IPPROTO_DCCP)) < 0) {
    perror("socket");
    exit(1);
  }
}

# gcc -o example example.c 
# ./example 
socket: Permission denied
# ausearch -m avc -i
----
type=PROCTITLE msg=audit(06/12/2017 03:31:10.925:317) : proctitle=./example 
type=SYSCALL msg=audit(06/12/2017 03:31:10.925:317) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=inet a1=SOCK_DCCP a2=dccp a3=0x7ffed4125da0 items=0 ppid=10432 pid=25206 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=example exe=/root/example subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/12/2017 03:31:10.925:317) : avc:  denied  { create } for  pid=25206 comm=example scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dccp_socket 
----
# sesearch -c dccp_socket -A -C -D
Found 8 semantic av rules:
   allow corenet_unconfined_type node_type : dccp_socket node_bind ; 
   allow netlabel_peer_type netlabel_peer_t : dccp_socket recvfrom ; 
   allow domain unconfined_domain_type : dccp_socket recvfrom ; 
   allow domain netlabel_peer_t : dccp_socket recvfrom ; 
   allow corenet_unlabeled_type unlabeled_t : dccp_socket recvfrom ; 
   allow corenet_unconfined_type port_type : dccp_socket { recv_msg send_msg name_bind name_connect } ; 
   allow unconfined_domain_type netlabel_peer_t : dccp_socket recvfrom ; 
   allow unconfined_domain_type domain : dccp_socket recvfrom ; 

#
Comment 7 errata-xmlrpc 2018-04-10 12:32:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763